mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-26 01:49:28 +00:00
Add kubeconfig variable substitution for kubelet and proxy.
There are checks for the kubeconfig for both kubelet and proxy which the current kube-bench implementation does not check for properly. kube-bench checks the wrong files. This PR adds support for variable substitution for all the config file types are that should be checked in the CIS benchmarks. This PR also fixes a buggy in CIS 1.3.0 check 2.2.9, which checks for ownership of the kubelet config file /var/lib/kubelet/config.yaml but recommends changing ownership of kubelet kubeconfig file /etc/kubernetes/kubelet.conf as remediation.
This commit is contained in:
parent
3f98c1def2
commit
a88b0703d8
@ -320,7 +320,7 @@ groups:
|
|||||||
- id: 2.2.1
|
- id: 2.2.1
|
||||||
text: "Ensure that the kubelet.conf file permissions are set to 644 or
|
text: "Ensure that the kubelet.conf file permissions are set to 644 or
|
||||||
more restrictive (Scored)"
|
more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
|
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
@ -342,12 +342,12 @@ groups:
|
|||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
Run the below command (based on the file location on your system) on the each worker
|
||||||
node. For example,
|
node. For example,
|
||||||
chmod 644 $kubeletconf
|
chmod 644 $kubeletkubeconfig
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.2
|
- id: 2.2.2
|
||||||
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
|
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
|
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: "root:root"
|
||||||
@ -358,7 +358,7 @@ groups:
|
|||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
Run the below command (based on the file location on your system) on the each worker
|
||||||
node. For example,
|
node. For example,
|
||||||
chown root:root $kubeletconf
|
chown root:root $kubeletkubeconfig
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.3
|
- id: 2.2.3
|
||||||
@ -404,7 +404,7 @@ groups:
|
|||||||
|
|
||||||
- id: 2.2.5
|
- id: 2.2.5
|
||||||
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'"
|
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
@ -426,12 +426,12 @@ groups:
|
|||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
Run the below command (based on the file location on your system) on the each worker
|
||||||
node. For example,
|
node. For example,
|
||||||
chmod 644 $proxyconf
|
chmod 644 $proxykubeconfig
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.6
|
- id: 2.2.6
|
||||||
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
|
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'"
|
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: "root:root"
|
||||||
@ -439,7 +439,7 @@ groups:
|
|||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
Run the below command (based on the file location on your system) on the each worker
|
||||||
node. For example,
|
node. For example,
|
||||||
chown root:root $proxyconf
|
chown root:root $proxykubeconfig
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.7
|
- id: 2.2.7
|
||||||
@ -462,19 +462,19 @@ groups:
|
|||||||
|
|
||||||
- id: 2.2.9
|
- id: 2.2.9
|
||||||
text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)"
|
text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e /var/lib/kubelet/config.yaml; then stat -c %U:%G /var/lib/kubelet/config.yaml; fi'"
|
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: "root:root"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the following command (using the config file location identied in the Audit step)
|
Run the following command (using the config file location identied in the Audit step)
|
||||||
chown root:root /etc/kubernetes/kubelet.conf
|
chown root:root $kubeletconf
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.10
|
- id: 2.2.10
|
||||||
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
|
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e /var/lib/kubelet/config.yaml; then stat -c %a /var/lib/kubelet/config.yaml; fi'"
|
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
@ -495,5 +495,5 @@ groups:
|
|||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the following command (using the config file location identied in the Audit step)
|
Run the following command (using the config file location identied in the Audit step)
|
||||||
chmod 644 /var/lib/kubelet/config.yaml
|
chmod 644 $kubeletconf
|
||||||
scored: true
|
scored: true
|
||||||
|
@ -9,36 +9,13 @@
|
|||||||
|
|
||||||
master:
|
master:
|
||||||
apiserver:
|
apiserver:
|
||||||
confs:
|
|
||||||
- /etc/kubernetes/manifests/kube-apiserver.yaml
|
|
||||||
- /etc/kubernetes/manifests/kube-apiserver.manifest
|
|
||||||
defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml
|
defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml
|
||||||
|
|
||||||
scheduler:
|
scheduler:
|
||||||
confs:
|
|
||||||
- /etc/kubernetes/manifests/kube-scheduler.yaml
|
|
||||||
- /etc/kubernetes/manifests/kube-scheduler.manifest
|
|
||||||
defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
|
defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
|
||||||
|
|
||||||
controllermanager:
|
controllermanager:
|
||||||
confs:
|
|
||||||
- /etc/kubernetes/manifests/kube-controller-manager.yaml
|
|
||||||
- /etc/kubernetes/manifests/kube-controller-manager.manifest
|
|
||||||
defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
|
defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
|
||||||
|
|
||||||
etcd:
|
etcd:
|
||||||
confs:
|
|
||||||
- /etc/kubernetes/manifests/etcd.yaml
|
|
||||||
- /etc/kubernetes/manifests/etcd.manifest
|
|
||||||
defaultconf: /etc/kubernetes/manifests/etcd.yaml
|
defaultconf: /etc/kubernetes/manifests/etcd.yaml
|
||||||
|
|
||||||
node:
|
|
||||||
kubelet:
|
|
||||||
confs:
|
|
||||||
- /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
|
|
||||||
defaultconf: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
|
|
||||||
|
|
||||||
proxy:
|
|
||||||
confs:
|
|
||||||
- /etc/kubernetes/addons/kube-proxy-daemonset.yaml
|
|
||||||
defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml
|
|
||||||
|
@ -297,7 +297,7 @@ groups:
|
|||||||
- id: 2.2.1
|
- id: 2.2.1
|
||||||
text: "Ensure that the kubelet.conf file permissions are set to 644 or
|
text: "Ensure that the kubelet.conf file permissions are set to 644 or
|
||||||
more restrictive (Scored)"
|
more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
|
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
@ -319,12 +319,12 @@ groups:
|
|||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
Run the below command (based on the file location on your system) on the each worker
|
||||||
node. For example,
|
node. For example,
|
||||||
chmod 644 $kubeletconf
|
chmod 644 $kubeletkubeconfig
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.2
|
- id: 2.2.2
|
||||||
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
|
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
|
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: "root:root"
|
||||||
@ -335,7 +335,7 @@ groups:
|
|||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
Run the below command (based on the file location on your system) on the each worker
|
||||||
node. For example,
|
node. For example,
|
||||||
chown root:root $kubeletconf
|
chown root:root $kubeletkubeconfig
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.3
|
- id: 2.2.3
|
||||||
@ -382,7 +382,7 @@ groups:
|
|||||||
- id: 2.2.5
|
- id: 2.2.5
|
||||||
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more
|
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more
|
||||||
restrictive (Scored)"
|
restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'"
|
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
@ -404,12 +404,12 @@ groups:
|
|||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
Run the below command (based on the file location on your system) on the each worker
|
||||||
node. For example,
|
node. For example,
|
||||||
chmod 644 $proxyconf
|
chmod 644 $proxykubeconfig
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.6
|
- id: 2.2.6
|
||||||
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
|
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'"
|
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: "root:root"
|
||||||
@ -417,7 +417,7 @@ groups:
|
|||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
Run the below command (based on the file location on your system) on the each worker
|
||||||
node. For example,
|
node. For example,
|
||||||
chown root:root $proxyconf
|
chown root:root $proxykubeconfig
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.7
|
- id: 2.2.7
|
||||||
|
@ -78,11 +78,9 @@ node:
|
|||||||
bins:
|
bins:
|
||||||
- "hyperkube kubelet"
|
- "hyperkube kubelet"
|
||||||
- "kubelet"
|
- "kubelet"
|
||||||
confs:
|
defaultconf: "/var/lib/kubelet/config.yaml"
|
||||||
- /etc/kubernetes/kubelet.conf
|
|
||||||
- /etc/kubernetes/kubelet
|
|
||||||
defaultconf: "/etc/kubernetes/kubelet.conf"
|
|
||||||
defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
|
defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
|
||||||
|
defaultkubeconfig: "/etc/kubernetes/kubelet.conf"
|
||||||
|
|
||||||
proxy:
|
proxy:
|
||||||
bins:
|
bins:
|
||||||
@ -90,9 +88,9 @@ node:
|
|||||||
- "hyperkube proxy"
|
- "hyperkube proxy"
|
||||||
- "proxy"
|
- "proxy"
|
||||||
confs:
|
confs:
|
||||||
- /etc/kubernetes/proxy.conf
|
|
||||||
- /etc/kubernetes/proxy
|
- /etc/kubernetes/proxy
|
||||||
- /etc/kubernetes/addons/kube-proxy-daemonset.yaml
|
- /etc/kubernetes/addons/kube-proxy-daemonset.yaml
|
||||||
|
defaultkubeconfig: "/etc/kubernetes/proxy.conf"
|
||||||
|
|
||||||
federated:
|
federated:
|
||||||
components:
|
components:
|
||||||
|
@ -83,12 +83,14 @@ func runChecks(nodetype check.NodeType) {
|
|||||||
binmap := getBinaries(typeConf)
|
binmap := getBinaries(typeConf)
|
||||||
confmap := getConfigFiles(typeConf)
|
confmap := getConfigFiles(typeConf)
|
||||||
svcmap := getServiceFiles(typeConf)
|
svcmap := getServiceFiles(typeConf)
|
||||||
|
kubeconfmap := getKubeConfigFiles(typeConf)
|
||||||
|
|
||||||
// Variable substitutions. Replace all occurrences of variables in controls files.
|
// Variable substitutions. Replace all occurrences of variables in controls files.
|
||||||
s := string(in)
|
s := string(in)
|
||||||
s = makeSubstitutions(s, "bin", binmap)
|
s = makeSubstitutions(s, "bin", binmap)
|
||||||
s = makeSubstitutions(s, "conf", confmap)
|
s = makeSubstitutions(s, "conf", confmap)
|
||||||
s = makeSubstitutions(s, "svc", svcmap)
|
s = makeSubstitutions(s, "svc", svcmap)
|
||||||
|
s = makeSubstitutions(s, "kubeconfig", kubeconfmap)
|
||||||
|
|
||||||
controls, err := check.NewControls(nodetype, []byte(s))
|
controls, err := check.NewControls(nodetype, []byte(s))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
31
cmd/util.go
31
cmd/util.go
@ -219,6 +219,37 @@ func getServiceFiles(v *viper.Viper) map[string]string {
|
|||||||
return svcmap
|
return svcmap
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// getKubeConfigFiles finds which of the set of candidate kubeconfig files exist
|
||||||
|
func getKubeConfigFiles(v *viper.Viper) map[string]string {
|
||||||
|
kubeconfigmap := make(map[string]string)
|
||||||
|
|
||||||
|
for _, component := range v.GetStringSlice("components") {
|
||||||
|
s := v.Sub(component)
|
||||||
|
if s == nil {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// See if any of the candidate config files exist
|
||||||
|
kubeconfig := findConfigFile(s.GetStringSlice("kubeconfig"))
|
||||||
|
if kubeconfig == "" {
|
||||||
|
if s.IsSet("defaultkubeconfig") {
|
||||||
|
kubeconfig = s.GetString("defaultkubeconfig")
|
||||||
|
glog.V(2).Info(fmt.Sprintf("Using default kubeconfig file name '%s' for component %s", kubeconfig, component))
|
||||||
|
} else {
|
||||||
|
// Default the service file name that we'll substitute to the name of the component
|
||||||
|
glog.V(2).Info(fmt.Sprintf("Missing service file for %s", component))
|
||||||
|
kubeconfig = component
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
glog.V(2).Info(fmt.Sprintf("Component %s uses service file '%s'", component, kubeconfig))
|
||||||
|
}
|
||||||
|
|
||||||
|
kubeconfigmap[component] = kubeconfig
|
||||||
|
}
|
||||||
|
|
||||||
|
return kubeconfigmap
|
||||||
|
}
|
||||||
|
|
||||||
// verifyBin checks that the binary specified is running
|
// verifyBin checks that the binary specified is running
|
||||||
func verifyBin(bin string) bool {
|
func verifyBin(bin string) bool {
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user