arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2025-08-01 19:38:27 +00:00
Code Issues Releases Wiki Activity

Warn if kubectl can't autodetect the version (#656)

Browse Source 
* Add warning if lacking kubeconfig for auto-detect

* Only run getbenchmarkVersion once

* Remove call to continueWithError
This commit is contained in:
Liz Rice 2020-08-04 16:04:02 +01:00 committed by GitHub
parent b0d175bf5c
commit a6161aa868
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 35 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
cmd/common.go
View File

@ -191,7 +191,7 @@ func prettyPrint(r *check.Controls, summary check.Summary) {
// loadConfig finds the correct config dir based on the kubernetes version, // loadConfig finds the correct config dir based on the kubernetes version,
// merges any specific config.yaml file found with the main config // merges any specific config.yaml file found with the main config
// and returns the benchmark file to use. // and returns the benchmark file to use.
func loadConfig(nodetype check.NodeType) string { func loadConfig(nodetype check.NodeType, benchmarkVersion string) string {
var file string var file string
var err error var err error
@ -210,11 +210,6 @@ func loadConfig(nodetype check.NodeType) string {
file = managedservicesFile file = managedservicesFile
} }
benchmarkVersion, err := getBenchmarkVersion(kubeVersion, benchmarkVersion, viper.GetViper())
if err != nil {
exitWithError(fmt.Errorf("failed to get benchMark version: %v", err))
}
path, err := getConfigFilePath(benchmarkVersion, file) path, err := getConfigFilePath(benchmarkVersion, file)
if err != nil { if err != nil {
exitWithError(fmt.Errorf("can't find %s controls file in %s: %v", nodetype, cfgDir, err)) exitWithError(fmt.Errorf("can't find %s controls file in %s: %v", nodetype, cfgDir, err))
@ -302,7 +297,6 @@ func getBenchmarkVersion(kubeVersion, benchmarkVersion string, v *viper.Viper) (
// isMaster verify if master components are running on the node. // isMaster verify if master components are running on the node.
func isMaster() bool { func isMaster() bool {
loadConfig(check.MASTER)
return isThisNodeRunning(check.MASTER) return isThisNodeRunning(check.MASTER)
} }

10
cmd/master.go
View File

@ -15,8 +15,11 @@
package cmd package cmd
import ( import (
"fmt"
"github.com/aquasecurity/kube-bench/check" "github.com/aquasecurity/kube-bench/check"
"github.com/spf13/cobra" "github.com/spf13/cobra"
"github.com/spf13/viper"
) )
// masterCmd represents the master command // masterCmd represents the master command
@ -25,7 +28,12 @@ var masterCmd = &cobra.Command{
Short: "Run Kubernetes benchmark checks from the master.yaml file.", Short: "Run Kubernetes benchmark checks from the master.yaml file.",
Long: `Run Kubernetes benchmark checks from the master.yaml file in cfg/<version>.`, Long: `Run Kubernetes benchmark checks from the master.yaml file in cfg/<version>.`,
Run: func(cmd *cobra.Command, args []string) { Run: func(cmd *cobra.Command, args []string) {
filename := loadConfig(check.MASTER) bv, err := getBenchmarkVersion(kubeVersion, benchmarkVersion, viper.GetViper())
if err != nil {
exitWithError(fmt.Errorf("unable to determine benchmark version: %v", err))
}
filename := loadConfig(check.MASTER, bv)
runChecks(check.MASTER, filename) runChecks(check.MASTER, filename)
writeOutput(controlsCollection) writeOutput(controlsCollection)
}, },

10
cmd/node.go
View File

@ -15,8 +15,11 @@
package cmd package cmd
import ( import (
"fmt"
"github.com/aquasecurity/kube-bench/check" "github.com/aquasecurity/kube-bench/check"
"github.com/spf13/cobra" "github.com/spf13/cobra"
"github.com/spf13/viper"
) )
// nodeCmd represents the node command // nodeCmd represents the node command
@ -25,7 +28,12 @@ var nodeCmd = &cobra.Command{
Short: "Run Kubernetes benchmark checks from the node.yaml file.", Short: "Run Kubernetes benchmark checks from the node.yaml file.",
Long: `Run Kubernetes benchmark checks from the node.yaml file in cfg/<version>.`, Long: `Run Kubernetes benchmark checks from the node.yaml file in cfg/<version>.`,
Run: func(cmd *cobra.Command, args []string) { Run: func(cmd *cobra.Command, args []string) {
filename := loadConfig(check.NODE) bv, err := getBenchmarkVersion(kubeVersion, benchmarkVersion, viper.GetViper())
if err != nil {
exitWithError(fmt.Errorf("unable to determine benchmark version: %v", err))
}
filename := loadConfig(check.NODE, bv)
runChecks(check.NODE, filename) runChecks(check.NODE, filename)
writeOutput(controlsCollection) writeOutput(controlsCollection)
}, },

22
cmd/root.go
View File

@ -64,45 +64,45 @@ var RootCmd = &cobra.Command{
Short: "Run CIS Benchmarks checks against a Kubernetes deployment", Short: "Run CIS Benchmarks checks against a Kubernetes deployment",
Long: `This tool runs the CIS Kubernetes Benchmark (https://www.cisecurity.org/benchmark/kubernetes/)`, Long: `This tool runs the CIS Kubernetes Benchmark (https://www.cisecurity.org/benchmark/kubernetes/)`,
Run: func(cmd *cobra.Command, args []string) { Run: func(cmd *cobra.Command, args []string) {
benchmarkVersion, err := getBenchmarkVersion(kubeVersion, benchmarkVersion, viper.GetViper()) bv, err := getBenchmarkVersion(kubeVersion, benchmarkVersion, viper.GetViper())
if err != nil { if err != nil {
exitWithError(fmt.Errorf("unable to determine benchmark version: %v", err)) exitWithError(fmt.Errorf("unable to determine benchmark version: %v", err))
} }
if isMaster() { if isMaster() {
glog.V(1).Info("== Running master checks ==\n") glog.V(1).Info("== Running master checks ==\n")
runChecks(check.MASTER, loadConfig(check.MASTER)) runChecks(check.MASTER, loadConfig(check.MASTER, bv))
// Control Plane is only valid for CIS 1.5 and later, // Control Plane is only valid for CIS 1.5 and later,
// this a gatekeeper for previous versions // this a gatekeeper for previous versions
if validTargets(benchmarkVersion, []string{string(check.CONTROLPLANE)}) { if validTargets(bv, []string{string(check.CONTROLPLANE)}) {
glog.V(1).Info("== Running control plane checks ==\n") glog.V(1).Info("== Running control plane checks ==\n")
runChecks(check.CONTROLPLANE, loadConfig(check.CONTROLPLANE)) runChecks(check.CONTROLPLANE, loadConfig(check.CONTROLPLANE, bv))
} }
} }
// Etcd is only valid for CIS 1.5 and later, // Etcd is only valid for CIS 1.5 and later,
// this a gatekeeper for previous versions. // this a gatekeeper for previous versions.
if validTargets(benchmarkVersion, []string{string(check.ETCD)}) && isEtcd() { if validTargets(bv, []string{string(check.ETCD)}) && isEtcd() {
glog.V(1).Info("== Running etcd checks ==\n") glog.V(1).Info("== Running etcd checks ==\n")
runChecks(check.ETCD, loadConfig(check.ETCD)) runChecks(check.ETCD, loadConfig(check.ETCD, bv))
} }
glog.V(1).Info("== Running node checks ==\n") glog.V(1).Info("== Running node checks ==\n")
runChecks(check.NODE, loadConfig(check.NODE)) runChecks(check.NODE, loadConfig(check.NODE, bv))
// Policies is only valid for CIS 1.5 and later, // Policies is only valid for CIS 1.5 and later,
// this a gatekeeper for previous versions. // this a gatekeeper for previous versions.
if validTargets(benchmarkVersion, []string{string(check.POLICIES)}) { if validTargets(bv, []string{string(check.POLICIES)}) {
glog.V(1).Info("== Running policies checks ==\n") glog.V(1).Info("== Running policies checks ==\n")
runChecks(check.POLICIES, loadConfig(check.POLICIES)) runChecks(check.POLICIES, loadConfig(check.POLICIES, bv))
} }
// Managedservices is only valid for GKE 1.0 and later, // Managedservices is only valid for GKE 1.0 and later,
// this a gatekeeper for previous versions. // this a gatekeeper for previous versions.
if validTargets(benchmarkVersion, []string{string(check.MANAGEDSERVICES)}) { if validTargets(bv, []string{string(check.MANAGEDSERVICES)}) {
glog.V(1).Info("== Running managed services checks ==\n") glog.V(1).Info("== Running managed services checks ==\n")
runChecks(check.MANAGEDSERVICES, loadConfig(check.MANAGEDSERVICES)) runChecks(check.MANAGEDSERVICES, loadConfig(check.MANAGEDSERVICES, bv))
} }
writeOutput(controlsCollection) writeOutput(controlsCollection)

4
cmd/util.go
View File

@ -346,6 +346,10 @@ func getVersionFromKubectlOutput(s string) string {
serverVersionRe := regexp.MustCompile(`Server Version: v(\d+.\d+)`) serverVersionRe := regexp.MustCompile(`Server Version: v(\d+.\d+)`)
subs := serverVersionRe.FindStringSubmatch(s) subs := serverVersionRe.FindStringSubmatch(s)
if len(subs) < 2 { if len(subs) < 2 {
if strings.Contains(s, "The connection to the server") {
msg := fmt.Sprintf(`Warning: Kubernetes version was not auto-detected because kubectl could not connect to the Kubernetes server. This may be because the kubeconfig information is missing or has credentials that do not match the server. Assuming default version %s`, defaultKubeVersion)
fmt.Fprintln(os.Stderr, msg)
}
glog.V(1).Info(fmt.Sprintf("Unable to get Kubernetes version from kubectl, using default version: %s", defaultKubeVersion)) glog.V(1).Info(fmt.Sprintf("Unable to get Kubernetes version from kubectl, using default version: %s", defaultKubeVersion))
return defaultKubeVersion return defaultKubeVersion
} }