1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-26 09:58:14 +00:00

Reorder YAML to make a bit more sense. Allow for optional components, and a config file that we don’t think exists.

This commit is contained in:
Liz Rice 2017-08-31 14:45:16 +01:00
parent e4b905e360
commit a3197f8efe
3 changed files with 120 additions and 53 deletions

View File

@ -8,69 +8,106 @@
# federatedControls: ./cfg/federated.yaml # federatedControls: ./cfg/federated.yaml
master: master:
bins: components:
- apiserver
- scheduler
- controllermanager
- etcd
- flanneld
# kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the
# benchmark but is believed to now be obselete
- kubernetes
kubernetes:
defaultconf: /etc/kubernetes/config
apiserver: apiserver:
bins:
- "kube-apiserver" - "kube-apiserver"
- "hyperkube apiserver" - "hyperkube apiserver"
- "apiserver" - "apiserver"
confs:
- /etc/kubernetes/manifests/kube-apiserver.yaml
- /etc/kubernetes/apiserver.conf
- /etc/kubernetes/apiserver
defaultconf: /etc/kubernetes/apiserver
scheduler: scheduler:
bins:
- "kube-scheduler" - "kube-scheduler"
- "hyperkube scheduler" - "hyperkube scheduler"
- "scheduler" - "scheduler"
confs:
- /etc/kubernetes/manifests/kube-scheduler.yaml
- /etc/kubernetes/scheduler.conf
- /etc/kubernetes/scheduler
defaultconf: /etc/kubernetes/scheduler
controllermanager: controllermanager:
bins:
- "kube-controller-manager" - "kube-controller-manager"
- "hyperkube controller-manager" - "hyperkube controller-manager"
- "controller-manager" - "controller-manager"
confs: confs:
apiserver: - /etc/kubernetes/manifests/kube-controller-manager.yaml
- /etc/kubernetes/admin.conf
- /etc/kubernetes/apiserver
- /etc/kubernetes/manifests/kube-apiserver.yaml
scheduler:
- /etc/kubernetes/scheduler.conf
- /etc/kubernetes/scheduler
- /etc/kubernetes/manifests/kube-scheduler.yaml
controller-manager:
- /etc/kubernetes/controller-manager.conf - /etc/kubernetes/controller-manager.conf
- /etc/kubernetes/controller-manager - /etc/kubernetes/controller-manager
- /etc/kubernetes/manifests/kube-controller-manager.yaml defaultconf: /etc/kubernetes/controller-manager
etcd: etcd:
optional: true
bins:
- "etcd"
confs:
- /etc/kubernetes/manifests/etcd.yaml
- /etc/etcd/etcd.conf - /etc/etcd/etcd.conf
defaultconf: /etc/etcd/etcd.conf
flanneld: flanneld:
- /etc/sysconfig/flanneld optional: true
bins:
- flanneld
defaultconf: /etc/sysconfig/flanneld
node: node:
bins: components:
- kubelet
- proxy
kubelet: kubelet:
bins:
- "hyperkube kubelet" - "hyperkube kubelet"
- "kubelet" - "kubelet"
confs:
- /etc/kubernetes/kubelet.conf
- /etc/kubernetes/kubelet
proxy: proxy:
bins:
- "kube-proxy" - "kube-proxy"
- "hyperkube proxy" - "hyperkube proxy"
- "proxy" - "proxy"
confs: confs:
kubelet:
- /etc/kubernetes/kubelet.conf
- /etc/kubernetes/kubelet
proxy:
- /etc/kubernetes/proxy.conf - /etc/kubernetes/proxy.conf
- /etc/kubernetes/proxy - /etc/kubernetes/proxy
- /etc/kubernetes/addons/kube-proxy-daemonset.yaml - /etc/kubernetes/addons/kube-proxy-daemonset.yaml
federated: federated:
bins: components:
- fedapiserver
- fedcontrollermanager
fedapiserver: fedapiserver:
bins:
- "hyperkube federation-apiserver" - "hyperkube federation-apiserver"
- "kube-federation-apiserver" - "kube-federation-apiserver"
- "federation-apiserver" - "federation-apiserver"
fedcontrollermanager: fedcontrollermanager:
bins:
- "hyperkube federation-controller-manager" - "hyperkube federation-controller-manager"
- "kube-federation-controller-manager" - "kube-federation-controller-manager"
- "federation-controller-manager" - "federation-controller-manager"
optional:
bins:
etcd:
- "etcd"
flanneld:
- "flanneld"

View File

@ -17,7 +17,6 @@ package cmd
import ( import (
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"os"
"github.com/aquasecurity/kube-bench/check" "github.com/aquasecurity/kube-bench/check"
"github.com/spf13/viper" "github.com/spf13/viper"
@ -67,10 +66,10 @@ func runChecks(t check.NodeType) {
typeConf = viper.Sub("federated") typeConf = viper.Sub("federated")
} }
// Get the set of exectuables we care about on this type of node // Get the set of exectuables and config files we care about on this type of node. This also
binmap := getBinaries(typeConf.Sub("bins"), false) // checks that the executables we need for the node type are running.
extrasmap := getBinaries(viper.Sub("optional"), true) binmap := getBinaries(typeConf)
confmap := getConfigFiles(typeConf.Sub("confs")) confmap := getConfigFiles(typeConf)
// Run kubernetes installation validation checks. // Run kubernetes installation validation checks.
verifyKubeVersion(kubeMajorVersion, kubeMinorVersion) verifyKubeVersion(kubeMajorVersion, kubeMinorVersion)
@ -92,7 +91,6 @@ func runChecks(t check.NodeType) {
// Variable substitutions. Replace all occurrences of variables in controls files. // Variable substitutions. Replace all occurrences of variables in controls files.
s := string(in) s := string(in)
s = makeSubstitutions(s, "bin", binmap) s = makeSubstitutions(s, "bin", binmap)
s = makeSubstitutions(s, "bin", extrasmap)
s = makeSubstitutions(s, "conf", confmap) s = makeSubstitutions(s, "conf", confmap)
controls, err := check.NewControls(t, []byte(s)) controls, err := check.NewControls(t, []byte(s))

View File

@ -85,17 +85,34 @@ func ps(proc string) string {
} }
// getBinaries finds which of the set of candidate executables are running // getBinaries finds which of the set of candidate executables are running
func getBinaries(v *viper.Viper, optional bool) map[string]string { func getBinaries(v *viper.Viper) map[string]string {
binmap := make(map[string]string) binmap := make(map[string]string)
for _, exeType := range v.AllKeys() { for _, component := range v.GetStringSlice("components") {
bin, err := findExecutable(v.GetStringSlice(exeType)) s := v.Sub(component)
if err != nil && !optional { if s == nil {
exitWithError(fmt.Errorf("looking for %s executable but none of the candidates are running", exeType)) continue
} }
binmap[exeType] = bin optional := s.GetBool("optional")
bins := s.GetStringSlice("bins")
if len(bins) > 0 {
bin, err := findExecutable(bins)
if err != nil && !optional {
exitWithError(fmt.Errorf("need %s executable but none of the candidates are running", component))
} }
// Default the executable name that we'll substitute to the name of the component
if bin == "" {
bin = component
glog.V(2).Info(fmt.Sprintf("Component %s not running", component))
} else {
glog.V(2).Info(fmt.Sprintf("Component %s uses running binary %s", component, bin))
}
binmap[component] = bin
}
}
return binmap return binmap
} }
@ -103,13 +120,28 @@ func getBinaries(v *viper.Viper, optional bool) map[string]string {
func getConfigFiles(v *viper.Viper) map[string]string { func getConfigFiles(v *viper.Viper) map[string]string {
confmap := make(map[string]string) confmap := make(map[string]string)
for _, confType := range v.AllKeys() { for _, component := range v.GetStringSlice("components") {
conf := findConfigFile(v.GetStringSlice(confType)) s := v.Sub(component)
if conf == "" { if s == nil {
printlnWarn(fmt.Sprintf("Missing kubernetes config file for %s", confType)) continue
} else {
confmap[confType] = conf
} }
// See if any of the candidate config files exist
conf := findConfigFile(s.GetStringSlice("confs"))
if conf == "" {
if s.IsSet("defaultconf") {
conf = s.GetString("defaultconf")
glog.V(2).Info(fmt.Sprintf("Using default config file name '%s' for component %s", conf, component))
} else {
// Default the config file name that we'll substitute to the name of the component
printlnWarn(fmt.Sprintf("Missing config file for %s", component))
conf = component
}
} else {
glog.V(2).Info(fmt.Sprintf("Component %s uses config file '%s'", component, conf))
}
confmap[component] = conf
} }
return confmap return confmap