diff --git a/cfg/1.11/node.yaml b/cfg/1.11/node.yaml index 7b808ba..82a4d7c 100644 --- a/cfg/1.11/node.yaml +++ b/cfg/1.11/node.yaml @@ -320,7 +320,7 @@ groups: - id: 2.2.1 text: "Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" + audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'" tests: bin_op: or test_items: @@ -342,12 +342,12 @@ groups: remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, - chmod 644 $kubeletconf + chmod 644 $kubeletkubeconfig scored: true - id: 2.2.2 text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)" - audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'" + audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'" tests: test_items: - flag: "root:root" @@ -358,7 +358,7 @@ groups: remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, - chown root:root $kubeletconf + chown root:root $kubeletkubeconfig scored: true - id: 2.2.3 @@ -404,7 +404,7 @@ groups: - id: 2.2.5 text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'" + audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'" tests: bin_op: or test_items: @@ -426,12 +426,12 @@ groups: remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, - chmod 644 $proxyconf + chmod 644 $proxykubeconfig scored: true - id: 2.2.6 text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)" - audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'" + audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'" tests: test_items: - flag: "root:root" @@ -439,7 +439,7 @@ groups: remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, - chown root:root $proxyconf + chown root:root $proxykubeconfig scored: true - id: 2.2.7 @@ -462,19 +462,19 @@ groups: - id: 2.2.9 text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)" - audit: "/bin/sh -c 'if test -e /var/lib/kubelet/config.yaml; then stat -c %U:%G /var/lib/kubelet/config.yaml; fi'" + audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'" tests: test_items: - flag: "root:root" set: true remediation: | Run the following command (using the config file location identied in the Audit step) - chown root:root /etc/kubernetes/kubelet.conf + chown root:root $kubeletconf scored: true - id: 2.2.10 text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e /var/lib/kubelet/config.yaml; then stat -c %a /var/lib/kubelet/config.yaml; fi'" + audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" tests: bin_op: or test_items: @@ -495,5 +495,5 @@ groups: set: true remediation: | Run the following command (using the config file location identied in the Audit step) - chmod 644 /var/lib/kubelet/config.yaml + chmod 644 $kubeletconf scored: true diff --git a/cfg/1.8/config.yaml b/cfg/1.8/config.yaml index 1fec47e..3caaa5d 100644 --- a/cfg/1.8/config.yaml +++ b/cfg/1.8/config.yaml @@ -9,36 +9,13 @@ master: apiserver: - confs: - - /etc/kubernetes/manifests/kube-apiserver.yaml - - /etc/kubernetes/manifests/kube-apiserver.manifest defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml scheduler: - confs: - - /etc/kubernetes/manifests/kube-scheduler.yaml - - /etc/kubernetes/manifests/kube-scheduler.manifest defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml controllermanager: - confs: - - /etc/kubernetes/manifests/kube-controller-manager.yaml - - /etc/kubernetes/manifests/kube-controller-manager.manifest defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml etcd: - confs: - - /etc/kubernetes/manifests/etcd.yaml - - /etc/kubernetes/manifests/etcd.manifest defaultconf: /etc/kubernetes/manifests/etcd.yaml - -node: - kubelet: - confs: - - /etc/systemd/system/kubelet.service.d/10-kubeadm.conf - defaultconf: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf - - proxy: - confs: - - /etc/kubernetes/addons/kube-proxy-daemonset.yaml - defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml diff --git a/cfg/1.8/node.yaml b/cfg/1.8/node.yaml index db47007..014ced4 100644 --- a/cfg/1.8/node.yaml +++ b/cfg/1.8/node.yaml @@ -297,7 +297,7 @@ groups: - id: 2.2.1 text: "Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" + audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'" tests: bin_op: or test_items: @@ -319,12 +319,12 @@ groups: remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, - chmod 644 $kubeletconf + chmod 644 $kubeletkubeconfig scored: true - id: 2.2.2 text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)" - audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'" + audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'" tests: test_items: - flag: "root:root" @@ -335,7 +335,7 @@ groups: remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, - chown root:root $kubeletconf + chown root:root $kubeletkubeconfig scored: true - id: 2.2.3 @@ -382,7 +382,7 @@ groups: - id: 2.2.5 text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'" + audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'" tests: bin_op: or test_items: @@ -404,12 +404,12 @@ groups: remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, - chmod 644 $proxyconf + chmod 644 $proxykubeconfig scored: true - id: 2.2.6 text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)" - audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'" + audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'" tests: test_items: - flag: "root:root" @@ -417,7 +417,7 @@ groups: remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, - chown root:root $proxyconf + chown root:root $proxykubeconfig scored: true - id: 2.2.7 diff --git a/cfg/config.yaml b/cfg/config.yaml index 563bb5e..82ed1a1 100644 --- a/cfg/config.yaml +++ b/cfg/config.yaml @@ -78,11 +78,9 @@ node: bins: - "hyperkube kubelet" - "kubelet" - confs: - - /etc/kubernetes/kubelet.conf - - /etc/kubernetes/kubelet - defaultconf: "/etc/kubernetes/kubelet.conf" + defaultconf: "/var/lib/kubelet/config.yaml" defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" + defaultkubeconfig: "/etc/kubernetes/kubelet.conf" proxy: bins: @@ -90,9 +88,9 @@ node: - "hyperkube proxy" - "proxy" confs: - - /etc/kubernetes/proxy.conf - /etc/kubernetes/proxy - /etc/kubernetes/addons/kube-proxy-daemonset.yaml + defaultkubeconfig: "/etc/kubernetes/proxy.conf" federated: components: diff --git a/cmd/common.go b/cmd/common.go index 2cfa310..b4d46c2 100644 --- a/cmd/common.go +++ b/cmd/common.go @@ -83,12 +83,14 @@ func runChecks(nodetype check.NodeType) { binmap := getBinaries(typeConf) confmap := getConfigFiles(typeConf) svcmap := getServiceFiles(typeConf) + kubeconfmap := getKubeConfigFiles(typeConf) // Variable substitutions. Replace all occurrences of variables in controls files. s := string(in) s = makeSubstitutions(s, "bin", binmap) s = makeSubstitutions(s, "conf", confmap) s = makeSubstitutions(s, "svc", svcmap) + s = makeSubstitutions(s, "kubeconfig", kubeconfmap) controls, err := check.NewControls(nodetype, []byte(s)) if err != nil { diff --git a/cmd/util.go b/cmd/util.go index 97cd94a..c3ae950 100644 --- a/cmd/util.go +++ b/cmd/util.go @@ -219,6 +219,37 @@ func getServiceFiles(v *viper.Viper) map[string]string { return svcmap } +// getKubeConfigFiles finds which of the set of candidate kubeconfig files exist +func getKubeConfigFiles(v *viper.Viper) map[string]string { + kubeconfigmap := make(map[string]string) + + for _, component := range v.GetStringSlice("components") { + s := v.Sub(component) + if s == nil { + continue + } + + // See if any of the candidate config files exist + kubeconfig := findConfigFile(s.GetStringSlice("kubeconfig")) + if kubeconfig == "" { + if s.IsSet("defaultkubeconfig") { + kubeconfig = s.GetString("defaultkubeconfig") + glog.V(2).Info(fmt.Sprintf("Using default kubeconfig file name '%s' for component %s", kubeconfig, component)) + } else { + // Default the service file name that we'll substitute to the name of the component + glog.V(2).Info(fmt.Sprintf("Missing service file for %s", component)) + kubeconfig = component + } + } else { + glog.V(2).Info(fmt.Sprintf("Component %s uses service file '%s'", component, kubeconfig)) + } + + kubeconfigmap[component] = kubeconfig + } + + return kubeconfigmap +} + // verifyBin checks that the binary specified is running func verifyBin(bin string) bool {