arno
/
kube-bench
mirror of https://github.com/aquasecurity/kube-bench.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Add detected kubernetes version (#869)

Browse Source 
* Add detected kubernetes version to controls

* Refactore NewControls function

Now new Control function is expecting detected version argument.

* Refactore NewControls function

Now new Control function is expecting detected version argument.

* Refactore NewControls function

New Control function is expecting detected version argument.

* Add detected kube version

* add detecetedKubeVersion

* Add detecetedKubeVersion

* Add detectedKubeVersion

* Add detecetedKubeVersion

* Fix missing version

* Change version

Change version from 3.10 to rh-0.7

* fix version: "cis-1.5"

* fix version: "cis-1.5"

* fix version: "cis-1.5"

* Fix version: "cis-1.5"

* Fix version: "cis-1.5"

* Fix version: "cis-1.6"

* Fix version: "cis-1.6"

* Fix version: "cis-1.6"

* Fix version: "cis-1.6"

* Fix version: "cis-1.6"
pull/841/head
Yoav Rotem 3 years ago committed by GitHub
parent 182e64753e
commit 887965d31f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
21 changed files with 73 additions and 65 deletions
Show Stats Download Patch File Download Diff File

2
cfg/cis-1.5/controlplane.yaml
Unescape View File

@ -1,6 +1,6 @@
--- ---
controls: controls:
version: 1.5 version: "cis-1.5"
id: 3 id: 3
text: "Control Plane Configuration" text: "Control Plane Configuration"
type: "controlplane" type: "controlplane"

2
cfg/cis-1.5/etcd.yaml
Unescape View File

@ -1,6 +1,6 @@
--- ---
controls: controls:
version: 1.15 version: "cis-1.5"
id: 2 id: 2
text: "Etcd Node Configuration" text: "Etcd Node Configuration"
type: "etcd" type: "etcd"

2
cfg/cis-1.5/master.yaml
Unescape View File

@ -1,6 +1,6 @@
--- ---
controls: controls:
version: 1.5 version: "cis-1.5"
id: 1 id: 1
text: "Master Node Security Configuration" text: "Master Node Security Configuration"
type: "master" type: "master"

2
cfg/cis-1.5/node.yaml
Unescape View File

@ -1,6 +1,6 @@
--- ---
controls: controls:
version: 1.5 version: "cis-1.5"
id: 4 id: 4
text: "Worker Node Security Configuration" text: "Worker Node Security Configuration"
type: "node" type: "node"

2
cfg/cis-1.5/policies.yaml
Unescape View File

@ -1,6 +1,6 @@
--- ---
controls: controls:
version: 1.5 version: "cis-1.5"
id: 5 id: 5
text: "Kubernetes Policies" text: "Kubernetes Policies"
type: "policies" type: "policies"

2
cfg/cis-1.6/controlplane.yaml
Unescape View File

@ -1,6 +1,6 @@
--- ---
controls: controls:
version: 1.6 version: "cis-1.6"
id: 3 id: 3
text: "Control Plane Configuration" text: "Control Plane Configuration"
type: "controlplane" type: "controlplane"

2
cfg/cis-1.6/etcd.yaml
Unescape View File

@ -1,6 +1,6 @@
--- ---
controls: controls:
version: 1.6 version: "cis-1.6"
id: 2 id: 2
text: "Etcd Node Configuration" text: "Etcd Node Configuration"
type: "etcd" type: "etcd"

2
cfg/cis-1.6/master.yaml
Unescape View File

@ -1,6 +1,6 @@
--- ---
controls: controls:
version: 1.6 version: "cis-1.6"
id: 1 id: 1
text: "Master Node Security Configuration" text: "Master Node Security Configuration"
type: "master" type: "master"

2
cfg/cis-1.6/node.yaml
Unescape View File

@ -1,6 +1,6 @@
--- ---
controls: controls:
version: 1.6 version: "cis-1.6"
id: 4 id: 4
text: "Worker Node Security Configuration" text: "Worker Node Security Configuration"
type: "node" type: "node"

2
cfg/cis-1.6/policies.yaml
Unescape View File

@ -1,6 +1,6 @@
--- ---
controls: controls:
version: 1.6 version: "cis-1.6"
id: 5 id: 5
text: "Kubernetes Policies" text: "Kubernetes Policies"
type: "policies" type: "policies"

2
cfg/rh-0.7/master.yaml
Unescape View File

@ -1,6 +1,6 @@
--- ---
controls: controls:
version: 3.10 version: "rh-0.7"
id: 1 id: 1
text: "Securing the OpenShift Master" text: "Securing the OpenShift Master"
type: "master" type: "master"

1
cfg/rh-0.7/node.yaml
Unescape View File

@ -1,5 +1,6 @@
--- ---
controls: controls:
version: "rh-0.7"
id: 2 id: 2
text: "Worker Node Security Configuration" text: "Worker Node Security Configuration"
type: "node" type: "node"

15
check/controls.go
Unescape View File

@ -47,11 +47,12 @@ type OverallControls struct {
// Controls holds all controls to check for master nodes. // Controls holds all controls to check for master nodes.
type Controls struct { type Controls struct {
ID string `yaml:"id" json:"id"` ID string `yaml:"id" json:"id"`
Version string `json:"version"` Version string `json:"version"`
Text string `json:"text"` DetectedVersion string `json:"detected_version,omitempty"`
Type NodeType `json:"node_type"` Text string `json:"text"`
Groups []*Group `json:"tests"` Type NodeType `json:"node_type"`
Groups []*Group `json:"tests"`
Summary Summary
} }
@ -79,7 +80,7 @@ type Summary struct {
type Predicate func(group *Group, check *Check) bool type Predicate func(group *Group, check *Check) bool
// NewControls instantiates a new master Controls object. // NewControls instantiates a new master Controls object.
func NewControls(t NodeType, in []byte) (*Controls, error) { func NewControls(t NodeType, in []byte, detectedVersion string) (*Controls, error) {
c := new(Controls) c := new(Controls)
err := yaml.Unmarshal(in, c) err := yaml.Unmarshal(in, c)
@ -90,7 +91,7 @@ func NewControls(t NodeType, in []byte) (*Controls, error) {
if t != c.Type { if t != c.Type {
return nil, fmt.Errorf("non-%s controls file specified", t) return nil, fmt.Errorf("non-%s controls file specified", t)
} }
c.DetectedVersion = detectedVersion
return c, nil return c, nil
} }

10
check/controls_test.go
Unescape View File

@ -83,7 +83,7 @@ type: # not specified
groups: groups:
`) `)
// when // when
_, err := NewControls(MASTER, in) _, err := NewControls(MASTER, in, "")
// then // then
assert.EqualError(t, err, "non-master controls file specified") assert.EqualError(t, err, "non-master controls file specified")
}) })
@ -92,7 +92,7 @@ groups:
// given // given
in := []byte("BOOM") in := []byte("BOOM")
// when // when
_, err := NewControls(MASTER, in) _, err := NewControls(MASTER, in, "")
// then // then
assert.EqualError(t, err, "failed to unmarshal YAML: yaml: unmarshal errors:\n line 1: cannot unmarshal !!str `BOOM` into check.Controls") assert.EqualError(t, err, "failed to unmarshal YAML: yaml: unmarshal errors:\n line 1: cannot unmarshal !!str `BOOM` into check.Controls")
}) })
@ -118,7 +118,7 @@ groups:
- id: G2/C1 - id: G2/C1
- id: G2/C2 - id: G2/C2
`) `)
controls, err := NewControls(MASTER, in) controls, err := NewControls(MASTER, in, "")
assert.NoError(t, err) assert.NoError(t, err)
var allChecks Predicate = func(group *Group, c *Check) bool { var allChecks Predicate = func(group *Group, c *Check) bool {
@ -153,7 +153,7 @@ groups:
checks: checks:
- id: G1/C1 - id: G1/C1
`) `)
controls, err := NewControls(MASTER, in) controls, err := NewControls(MASTER, in, "")
assert.NoError(t, err) assert.NoError(t, err)
var allChecks Predicate = func(group *Group, c *Check) bool { var allChecks Predicate = func(group *Group, c *Check) bool {
@ -196,7 +196,7 @@ groups:
scored: true scored: true
`) `)
// and // and
controls, err := NewControls(MASTER, in) controls, err := NewControls(MASTER, in, "")
assert.NoError(t, err) assert.NoError(t, err)
// and // and
runner.On("Run", controls.Groups[0].Checks[0]).Return(PASS) runner.On("Run", controls.Groups[0].Checks[0]).Return(PASS)

2
check/test_test.go
Unescape View File

@ -38,7 +38,7 @@ func init() {
user := os.Getenv("USER") user := os.Getenv("USER")
s := strings.Replace(string(in), "$user", user, -1) s := strings.Replace(string(in), "$user", user, -1)
controls, err = NewControls(MASTER, []byte(s)) controls, err = NewControls(MASTER, []byte(s), "")
// controls, err = NewControls(MASTER, in) // controls, err = NewControls(MASTER, in)
if err != nil { if err != nil {
panic("Failed creating test controls: " + err.Error()) panic("Failed creating test controls: " + err.Error())

13
cmd/common.go
Unescape View File

@ -64,7 +64,7 @@ func NewRunFilter(opts FilterOpts) (check.Predicate, error) {
}, nil }, nil
} }
func runChecks(nodetype check.NodeType, testYamlFile string) { func runChecks(nodetype check.NodeType, testYamlFile, detectedVersion string) {
// Verify config file was loaded into Viper during Cobra sub-command initialization. // Verify config file was loaded into Viper during Cobra sub-command initialization.
if configFileError != nil { if configFileError != nil {
colorPrint(check.FAIL, fmt.Sprintf("Failed to read config file: %v\n", configFileError)) colorPrint(check.FAIL, fmt.Sprintf("Failed to read config file: %v\n", configFileError))
@ -106,7 +106,7 @@ func runChecks(nodetype check.NodeType, testYamlFile string) {
s, _ = makeSubstitutions(s, "kubeconfig", kubeconfmap) s, _ = makeSubstitutions(s, "kubeconfig", kubeconfmap)
s, _ = makeSubstitutions(s, "cafile", cafilemap) s, _ = makeSubstitutions(s, "cafile", cafilemap)
controls, err := check.NewControls(nodetype, []byte(s)) controls, err := check.NewControls(nodetype, []byte(s), detectedVersion)
if err != nil { if err != nil {
exitWithError(fmt.Errorf("error setting up %s controls: %v", nodetype, err)) exitWithError(fmt.Errorf("error setting up %s controls: %v", nodetype, err))
} }
@ -123,7 +123,7 @@ func runChecks(nodetype check.NodeType, testYamlFile string) {
controlsCollection = append(controlsCollection, controls) controlsCollection = append(controlsCollection, controls)
} }
func generateDefaultEnvAudit(controls *check.Controls, binSubs []string){ func generateDefaultEnvAudit(controls *check.Controls, binSubs []string) {
for _, group := range controls.Groups { for _, group := range controls.Groups {
for _, checkItem := range group.Checks { for _, checkItem := range group.Checks {
if checkItem.Tests != nil && !checkItem.DisableEnvTesting { if checkItem.Tests != nil && !checkItem.DisableEnvTesting {
@ -314,11 +314,15 @@ func loadTargetMapping(v *viper.Viper) (map[string][]string, error) {
} }
func getBenchmarkVersion(kubeVersion, benchmarkVersion, platformName string, v *viper.Viper) (bv string, err error) { func getBenchmarkVersion(kubeVersion, benchmarkVersion, platformName string, v *viper.Viper) (bv string, err error) {
detecetedKubeVersion = "none"
if !isEmpty(kubeVersion) && !isEmpty(benchmarkVersion) { if !isEmpty(kubeVersion) && !isEmpty(benchmarkVersion) {
return "", fmt.Errorf("It is an error to specify both --version and --benchmark flags") return "", fmt.Errorf("It is an error to specify both --version and --benchmark flags")
} }
if isEmpty(benchmarkVersion) && isEmpty(kubeVersion) && !isEmpty(platformName){ if isEmpty(benchmarkVersion) && isEmpty(kubeVersion) && !isEmpty(platformName) {
benchmarkVersion = getPlatformBenchmarkVersion(platformName) benchmarkVersion = getPlatformBenchmarkVersion(platformName)
if !isEmpty(benchmarkVersion) {
detecetedKubeVersion = benchmarkVersion
}
} }
if isEmpty(benchmarkVersion) { if isEmpty(benchmarkVersion) {
@ -328,6 +332,7 @@ func getBenchmarkVersion(kubeVersion, benchmarkVersion, platformName string, v *
return "", fmt.Errorf("Version check failed: %s\nAlternatively, you can specify the version with --version", err) return "", fmt.Errorf("Version check failed: %s\nAlternatively, you can specify the version with --version", err)
} }
kubeVersion = kv.BaseVersion() kubeVersion = kv.BaseVersion()
detecetedKubeVersion = kubeVersion
} }
kubeToBenchmarkMap, err := loadVersionMapping(v) kubeToBenchmarkMap, err := loadVersionMapping(v)

2
cmd/common_test.go
Unescape View File

@ -630,7 +630,7 @@ groups:
Edit the config file /this/is/a/file/path and set SomeSampleFlag to true. Edit the config file /this/is/a/file/path and set SomeSampleFlag to true.
scored: true scored: true
`) `)
controls, err := check.NewControls(check.MASTER, input) controls, err := check.NewControls(check.MASTER, input, "")
assert.NoError(t, err) assert.NoError(t, err)
binSubs := []string{"TestBinPath"} binSubs := []string{"TestBinPath"}

2
cmd/master.go
Unescape View File

@ -34,7 +34,7 @@ var masterCmd = &cobra.Command{
} }
filename := loadConfig(check.MASTER, bv) filename := loadConfig(check.MASTER, bv)
runChecks(check.MASTER, filename) runChecks(check.MASTER, filename, detecetedKubeVersion)
writeOutput(controlsCollection) writeOutput(controlsCollection)
}, },
Deprecated: "this command will be retired soon. Please use the `run` command with `--targets=master` instead.", Deprecated: "this command will be retired soon. Please use the `run` command with `--targets=master` instead.",

2
cmd/node.go
Unescape View File

@ -34,7 +34,7 @@ var nodeCmd = &cobra.Command{
} }
filename := loadConfig(check.NODE, bv) filename := loadConfig(check.NODE, bv)
runChecks(check.NODE, filename) runChecks(check.NODE, filename, detecetedKubeVersion)
writeOutput(controlsCollection) writeOutput(controlsCollection)
}, },
Deprecated: "this command will be retired soon. Please use the `run` command with `--targets=node` instead.", Deprecated: "this command will be retired soon. Please use the `run` command with `--targets=node` instead.",

67
cmd/root.go
Unescape View File

@ -33,33 +33,34 @@ type FilterOpts struct {
} }
var ( var (
envVarsPrefix = "KUBE_BENCH" envVarsPrefix = "KUBE_BENCH"
defaultKubeVersion = "1.18" defaultKubeVersion = "1.18"
kubeVersion string kubeVersion string
benchmarkVersion string detecetedKubeVersion string
cfgFile string benchmarkVersion string
cfgDir = "./cfg/" cfgFile string
jsonFmt bool cfgDir = "./cfg/"
junitFmt bool jsonFmt bool
pgSQL bool junitFmt bool
aSFF bool pgSQL bool
masterFile = "master.yaml" aSFF bool
nodeFile = "node.yaml" masterFile = "master.yaml"
etcdFile = "etcd.yaml" nodeFile = "node.yaml"
controlplaneFile = "controlplane.yaml" etcdFile = "etcd.yaml"
policiesFile = "policies.yaml" controlplaneFile = "controlplane.yaml"
managedservicesFile = "managedservices.yaml" policiesFile = "policies.yaml"
exitCode int managedservicesFile = "managedservices.yaml"
noResults bool exitCode int
noSummary bool noResults bool
noRemediations bool noSummary bool
skipIds string noRemediations bool
noTotals bool skipIds string
filterOpts FilterOpts noTotals bool
includeTestOutput bool filterOpts FilterOpts
outputFile string includeTestOutput bool
configFileError error outputFile string
controlsCollection []*check.Controls configFileError error
controlsCollection []*check.Controls
) )
// RootCmd represents the base command when called without any subcommands // RootCmd represents the base command when called without any subcommands
@ -76,7 +77,7 @@ var RootCmd = &cobra.Command{
if isMaster() { if isMaster() {
glog.V(1).Info("== Running master checks ==") glog.V(1).Info("== Running master checks ==")
runChecks(check.MASTER, loadConfig(check.MASTER, bv)) runChecks(check.MASTER, loadConfig(check.MASTER, bv), detecetedKubeVersion)
// Control Plane is only valid for CIS 1.5 and later, // Control Plane is only valid for CIS 1.5 and later,
// this a gatekeeper for previous versions // this a gatekeeper for previous versions
@ -86,7 +87,7 @@ var RootCmd = &cobra.Command{
} }
if valid { if valid {
glog.V(1).Info("== Running control plane checks ==") glog.V(1).Info("== Running control plane checks ==")
runChecks(check.CONTROLPLANE, loadConfig(check.CONTROLPLANE, bv)) runChecks(check.CONTROLPLANE, loadConfig(check.CONTROLPLANE, bv), detecetedKubeVersion)
} }
} else { } else {
glog.V(1).Info("== Skipping master checks ==") glog.V(1).Info("== Skipping master checks ==")
@ -100,13 +101,13 @@ var RootCmd = &cobra.Command{
} }
if valid && isEtcd() { if valid && isEtcd() {
glog.V(1).Info("== Running etcd checks ==") glog.V(1).Info("== Running etcd checks ==")
runChecks(check.ETCD, loadConfig(check.ETCD, bv)) runChecks(check.ETCD, loadConfig(check.ETCD, bv), detecetedKubeVersion)
} else { } else {
glog.V(1).Info("== Skipping etcd checks ==") glog.V(1).Info("== Skipping etcd checks ==")
} }
glog.V(1).Info("== Running node checks ==") glog.V(1).Info("== Running node checks ==")
runChecks(check.NODE, loadConfig(check.NODE, bv)) runChecks(check.NODE, loadConfig(check.NODE, bv), detecetedKubeVersion)
// Policies is only valid for CIS 1.5 and later, // Policies is only valid for CIS 1.5 and later,
// this a gatekeeper for previous versions. // this a gatekeeper for previous versions.
@ -116,7 +117,7 @@ var RootCmd = &cobra.Command{
} }
if valid { if valid {
glog.V(1).Info("== Running policies checks ==") glog.V(1).Info("== Running policies checks ==")
runChecks(check.POLICIES, loadConfig(check.POLICIES, bv)) runChecks(check.POLICIES, loadConfig(check.POLICIES, bv), detecetedKubeVersion)
} else { } else {
glog.V(1).Info("== Skipping policies checks ==") glog.V(1).Info("== Skipping policies checks ==")
} }
@ -129,7 +130,7 @@ var RootCmd = &cobra.Command{
} }
if valid { if valid {
glog.V(1).Info("== Running managed services checks ==") glog.V(1).Info("== Running managed services checks ==")
runChecks(check.MANAGEDSERVICES, loadConfig(check.MANAGEDSERVICES, bv)) runChecks(check.MANAGEDSERVICES, loadConfig(check.MANAGEDSERVICES, bv), detecetedKubeVersion)
} else { } else {
glog.V(1).Info("== Skipping managed services checks ==") glog.V(1).Info("== Skipping managed services checks ==")
} }

2
cmd/run.go
Unescape View File

@ -75,7 +75,7 @@ func run(targets []string, benchmarkVersion string) (err error) {
for _, yamlFile := range yamlFiles { for _, yamlFile := range yamlFiles {
_, name := filepath.Split(yamlFile) _, name := filepath.Split(yamlFile)
testType := check.NodeType(strings.Split(name, ".")[0]) testType := check.NodeType(strings.Split(name, ".")[0])
runChecks(testType, yamlFile) runChecks(testType, yamlFile, detecetedKubeVersion)
} }
writeOutput(controlsCollection) writeOutput(controlsCollection)

Write Preview
Loading…
Cancel
Save