mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-26 09:58:14 +00:00
Reorder YAML to make a bit more sense. Allow for optional components, and a config file that we don’t think exists.
This commit is contained in:
parent
e4b905e360
commit
a3197f8efe
@ -8,69 +8,106 @@
|
|||||||
# federatedControls: ./cfg/federated.yaml
|
# federatedControls: ./cfg/federated.yaml
|
||||||
|
|
||||||
master:
|
master:
|
||||||
bins:
|
components:
|
||||||
|
- apiserver
|
||||||
|
- scheduler
|
||||||
|
- controllermanager
|
||||||
|
- etcd
|
||||||
|
- flanneld
|
||||||
|
# kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the
|
||||||
|
# benchmark but is believed to now be obselete
|
||||||
|
- kubernetes
|
||||||
|
|
||||||
|
kubernetes:
|
||||||
|
defaultconf: /etc/kubernetes/config
|
||||||
|
|
||||||
apiserver:
|
apiserver:
|
||||||
|
bins:
|
||||||
- "kube-apiserver"
|
- "kube-apiserver"
|
||||||
- "hyperkube apiserver"
|
- "hyperkube apiserver"
|
||||||
- "apiserver"
|
- "apiserver"
|
||||||
|
confs:
|
||||||
|
- /etc/kubernetes/manifests/kube-apiserver.yaml
|
||||||
|
- /etc/kubernetes/apiserver.conf
|
||||||
|
- /etc/kubernetes/apiserver
|
||||||
|
defaultconf: /etc/kubernetes/apiserver
|
||||||
|
|
||||||
scheduler:
|
scheduler:
|
||||||
|
bins:
|
||||||
- "kube-scheduler"
|
- "kube-scheduler"
|
||||||
- "hyperkube scheduler"
|
- "hyperkube scheduler"
|
||||||
- "scheduler"
|
- "scheduler"
|
||||||
|
confs:
|
||||||
|
- /etc/kubernetes/manifests/kube-scheduler.yaml
|
||||||
|
- /etc/kubernetes/scheduler.conf
|
||||||
|
- /etc/kubernetes/scheduler
|
||||||
|
defaultconf: /etc/kubernetes/scheduler
|
||||||
|
|
||||||
controllermanager:
|
controllermanager:
|
||||||
|
bins:
|
||||||
- "kube-controller-manager"
|
- "kube-controller-manager"
|
||||||
- "hyperkube controller-manager"
|
- "hyperkube controller-manager"
|
||||||
- "controller-manager"
|
- "controller-manager"
|
||||||
confs:
|
confs:
|
||||||
apiserver:
|
- /etc/kubernetes/manifests/kube-controller-manager.yaml
|
||||||
- /etc/kubernetes/admin.conf
|
|
||||||
- /etc/kubernetes/apiserver
|
|
||||||
- /etc/kubernetes/manifests/kube-apiserver.yaml
|
|
||||||
scheduler:
|
|
||||||
- /etc/kubernetes/scheduler.conf
|
|
||||||
- /etc/kubernetes/scheduler
|
|
||||||
- /etc/kubernetes/manifests/kube-scheduler.yaml
|
|
||||||
controller-manager:
|
|
||||||
- /etc/kubernetes/controller-manager.conf
|
- /etc/kubernetes/controller-manager.conf
|
||||||
- /etc/kubernetes/controller-manager
|
- /etc/kubernetes/controller-manager
|
||||||
- /etc/kubernetes/manifests/kube-controller-manager.yaml
|
defaultconf: /etc/kubernetes/controller-manager
|
||||||
|
|
||||||
etcd:
|
etcd:
|
||||||
|
optional: true
|
||||||
|
bins:
|
||||||
|
- "etcd"
|
||||||
|
confs:
|
||||||
|
- /etc/kubernetes/manifests/etcd.yaml
|
||||||
- /etc/etcd/etcd.conf
|
- /etc/etcd/etcd.conf
|
||||||
|
defaultconf: /etc/etcd/etcd.conf
|
||||||
|
|
||||||
flanneld:
|
flanneld:
|
||||||
- /etc/sysconfig/flanneld
|
optional: true
|
||||||
|
bins:
|
||||||
|
- flanneld
|
||||||
|
defaultconf: /etc/sysconfig/flanneld
|
||||||
|
|
||||||
|
|
||||||
node:
|
node:
|
||||||
bins:
|
components:
|
||||||
|
- kubelet
|
||||||
|
- proxy
|
||||||
|
|
||||||
kubelet:
|
kubelet:
|
||||||
|
bins:
|
||||||
- "hyperkube kubelet"
|
- "hyperkube kubelet"
|
||||||
- "kubelet"
|
- "kubelet"
|
||||||
|
confs:
|
||||||
|
- /etc/kubernetes/kubelet.conf
|
||||||
|
- /etc/kubernetes/kubelet
|
||||||
|
|
||||||
proxy:
|
proxy:
|
||||||
|
bins:
|
||||||
- "kube-proxy"
|
- "kube-proxy"
|
||||||
- "hyperkube proxy"
|
- "hyperkube proxy"
|
||||||
- "proxy"
|
- "proxy"
|
||||||
confs:
|
confs:
|
||||||
kubelet:
|
|
||||||
- /etc/kubernetes/kubelet.conf
|
|
||||||
- /etc/kubernetes/kubelet
|
|
||||||
proxy:
|
|
||||||
- /etc/kubernetes/proxy.conf
|
- /etc/kubernetes/proxy.conf
|
||||||
- /etc/kubernetes/proxy
|
- /etc/kubernetes/proxy
|
||||||
- /etc/kubernetes/addons/kube-proxy-daemonset.yaml
|
- /etc/kubernetes/addons/kube-proxy-daemonset.yaml
|
||||||
|
|
||||||
federated:
|
federated:
|
||||||
bins:
|
components:
|
||||||
|
- fedapiserver
|
||||||
|
- fedcontrollermanager
|
||||||
|
|
||||||
fedapiserver:
|
fedapiserver:
|
||||||
|
bins:
|
||||||
- "hyperkube federation-apiserver"
|
- "hyperkube federation-apiserver"
|
||||||
- "kube-federation-apiserver"
|
- "kube-federation-apiserver"
|
||||||
- "federation-apiserver"
|
- "federation-apiserver"
|
||||||
|
|
||||||
fedcontrollermanager:
|
fedcontrollermanager:
|
||||||
|
bins:
|
||||||
- "hyperkube federation-controller-manager"
|
- "hyperkube federation-controller-manager"
|
||||||
- "kube-federation-controller-manager"
|
- "kube-federation-controller-manager"
|
||||||
- "federation-controller-manager"
|
- "federation-controller-manager"
|
||||||
|
|
||||||
optional:
|
|
||||||
bins:
|
|
||||||
etcd:
|
|
||||||
- "etcd"
|
|
||||||
flanneld:
|
|
||||||
- "flanneld"
|
|
||||||
|
@ -17,7 +17,6 @@ package cmd
|
|||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"os"
|
|
||||||
|
|
||||||
"github.com/aquasecurity/kube-bench/check"
|
"github.com/aquasecurity/kube-bench/check"
|
||||||
"github.com/spf13/viper"
|
"github.com/spf13/viper"
|
||||||
@ -67,10 +66,10 @@ func runChecks(t check.NodeType) {
|
|||||||
typeConf = viper.Sub("federated")
|
typeConf = viper.Sub("federated")
|
||||||
}
|
}
|
||||||
|
|
||||||
// Get the set of exectuables we care about on this type of node
|
// Get the set of exectuables and config files we care about on this type of node. This also
|
||||||
binmap := getBinaries(typeConf.Sub("bins"), false)
|
// checks that the executables we need for the node type are running.
|
||||||
extrasmap := getBinaries(viper.Sub("optional"), true)
|
binmap := getBinaries(typeConf)
|
||||||
confmap := getConfigFiles(typeConf.Sub("confs"))
|
confmap := getConfigFiles(typeConf)
|
||||||
|
|
||||||
// Run kubernetes installation validation checks.
|
// Run kubernetes installation validation checks.
|
||||||
verifyKubeVersion(kubeMajorVersion, kubeMinorVersion)
|
verifyKubeVersion(kubeMajorVersion, kubeMinorVersion)
|
||||||
@ -92,7 +91,6 @@ func runChecks(t check.NodeType) {
|
|||||||
// Variable substitutions. Replace all occurrences of variables in controls files.
|
// Variable substitutions. Replace all occurrences of variables in controls files.
|
||||||
s := string(in)
|
s := string(in)
|
||||||
s = makeSubstitutions(s, "bin", binmap)
|
s = makeSubstitutions(s, "bin", binmap)
|
||||||
s = makeSubstitutions(s, "bin", extrasmap)
|
|
||||||
s = makeSubstitutions(s, "conf", confmap)
|
s = makeSubstitutions(s, "conf", confmap)
|
||||||
|
|
||||||
controls, err := check.NewControls(t, []byte(s))
|
controls, err := check.NewControls(t, []byte(s))
|
||||||
|
56
cmd/util.go
56
cmd/util.go
@ -85,17 +85,34 @@ func ps(proc string) string {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// getBinaries finds which of the set of candidate executables are running
|
// getBinaries finds which of the set of candidate executables are running
|
||||||
func getBinaries(v *viper.Viper, optional bool) map[string]string {
|
func getBinaries(v *viper.Viper) map[string]string {
|
||||||
binmap := make(map[string]string)
|
binmap := make(map[string]string)
|
||||||
|
|
||||||
for _, exeType := range v.AllKeys() {
|
for _, component := range v.GetStringSlice("components") {
|
||||||
bin, err := findExecutable(v.GetStringSlice(exeType))
|
s := v.Sub(component)
|
||||||
if err != nil && !optional {
|
if s == nil {
|
||||||
exitWithError(fmt.Errorf("looking for %s executable but none of the candidates are running", exeType))
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
binmap[exeType] = bin
|
optional := s.GetBool("optional")
|
||||||
|
bins := s.GetStringSlice("bins")
|
||||||
|
if len(bins) > 0 {
|
||||||
|
bin, err := findExecutable(bins)
|
||||||
|
if err != nil && !optional {
|
||||||
|
exitWithError(fmt.Errorf("need %s executable but none of the candidates are running", component))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Default the executable name that we'll substitute to the name of the component
|
||||||
|
if bin == "" {
|
||||||
|
bin = component
|
||||||
|
glog.V(2).Info(fmt.Sprintf("Component %s not running", component))
|
||||||
|
} else {
|
||||||
|
glog.V(2).Info(fmt.Sprintf("Component %s uses running binary %s", component, bin))
|
||||||
|
}
|
||||||
|
binmap[component] = bin
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return binmap
|
return binmap
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -103,13 +120,28 @@ func getBinaries(v *viper.Viper, optional bool) map[string]string {
|
|||||||
func getConfigFiles(v *viper.Viper) map[string]string {
|
func getConfigFiles(v *viper.Viper) map[string]string {
|
||||||
confmap := make(map[string]string)
|
confmap := make(map[string]string)
|
||||||
|
|
||||||
for _, confType := range v.AllKeys() {
|
for _, component := range v.GetStringSlice("components") {
|
||||||
conf := findConfigFile(v.GetStringSlice(confType))
|
s := v.Sub(component)
|
||||||
if conf == "" {
|
if s == nil {
|
||||||
printlnWarn(fmt.Sprintf("Missing kubernetes config file for %s", confType))
|
continue
|
||||||
} else {
|
|
||||||
confmap[confType] = conf
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// See if any of the candidate config files exist
|
||||||
|
conf := findConfigFile(s.GetStringSlice("confs"))
|
||||||
|
if conf == "" {
|
||||||
|
if s.IsSet("defaultconf") {
|
||||||
|
conf = s.GetString("defaultconf")
|
||||||
|
glog.V(2).Info(fmt.Sprintf("Using default config file name '%s' for component %s", conf, component))
|
||||||
|
} else {
|
||||||
|
// Default the config file name that we'll substitute to the name of the component
|
||||||
|
printlnWarn(fmt.Sprintf("Missing config file for %s", component))
|
||||||
|
conf = component
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
glog.V(2).Info(fmt.Sprintf("Component %s uses config file '%s'", component, conf))
|
||||||
|
}
|
||||||
|
|
||||||
|
confmap[component] = conf
|
||||||
}
|
}
|
||||||
|
|
||||||
return confmap
|
return confmap
|
||||||
|
Loading…
Reference in New Issue
Block a user