From ade064006e5454b125f073e8a1d5fe4edfd0acff Mon Sep 17 00:00:00 2001 From: Abubakr-Sadik Nii Nai Davis Date: Tue, 10 Apr 2018 19:58:19 +0000 Subject: [PATCH 01/17] Add extra output manipulation flags, --noremediations, --nosummary and --noresults. These flags disable printing sections of the final output of kube-bench. --- cmd/common.go | 63 ++++++++++++++++++++++++++++----------------------- cmd/root.go | 8 +++++++ 2 files changed, 43 insertions(+), 28 deletions(-) diff --git a/cmd/common.go b/cmd/common.go index 752a337..1d938c2 100644 --- a/cmd/common.go +++ b/cmd/common.go @@ -131,41 +131,48 @@ func colorPrint(state check.State, s string) { // prettyPrint outputs the results to stdout in human-readable format func prettyPrint(r *check.Controls, summary check.Summary) { - colorPrint(check.INFO, fmt.Sprintf("%s %s\n", r.ID, r.Text)) - for _, g := range r.Groups { - colorPrint(check.INFO, fmt.Sprintf("%s %s\n", g.ID, g.Text)) - for _, c := range g.Checks { - colorPrint(c.State, fmt.Sprintf("%s %s\n", c.ID, c.Text)) - } - } - - fmt.Println() - - // Print remediations. - if summary.Fail > 0 || summary.Warn > 0 { - colors[check.WARN].Printf("== Remediations ==\n") + // Print check results. + if !noResults { + colorPrint(check.INFO, fmt.Sprintf("%s %s\n", r.ID, r.Text)) for _, g := range r.Groups { + colorPrint(check.INFO, fmt.Sprintf("%s %s\n", g.ID, g.Text)) for _, c := range g.Checks { - if c.State != check.PASS { - fmt.Printf("%s %s\n", c.ID, c.Remediation) - } + colorPrint(c.State, fmt.Sprintf("%s %s\n", c.ID, c.Text)) } } + fmt.Println() } - // Print summary setting output color to highest severity. - var res check.State - if summary.Fail > 0 { - res = check.FAIL - } else if summary.Warn > 0 { - res = check.WARN - } else { - res = check.PASS + // Print remediations. + if !noRemediations { + if summary.Fail > 0 || summary.Warn > 0 { + colors[check.WARN].Printf("== Remediations ==\n") + for _, g := range r.Groups { + for _, c := range g.Checks { + if c.State != check.PASS { + fmt.Printf("%s %s\n", c.ID, c.Remediation) + } + } + } + fmt.Println() + } } - colors[res].Printf("== Summary ==\n") - fmt.Printf("%d checks PASS\n%d checks FAIL\n%d checks WARN\n", - summary.Pass, summary.Fail, summary.Warn, - ) + // Print summary setting output color to highest severity. + if !noSummary { + var res check.State + if summary.Fail > 0 { + res = check.FAIL + } else if summary.Warn > 0 { + res = check.WARN + } else { + res = check.PASS + } + + colors[res].Printf("== Summary ==\n") + fmt.Printf("%d checks PASS\n%d checks FAIL\n%d checks WARN\n", + summary.Pass, summary.Fail, summary.Warn, + ) + } } diff --git a/cmd/root.go b/cmd/root.go index 76d871a..915d377 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -36,6 +36,9 @@ var ( masterFile string nodeFile string federatedFile string + noResults bool + noSummary bool + noRemediations bool ) // RootCmd represents the base command when called without any subcommands @@ -60,8 +63,13 @@ func Execute() { func init() { cobra.OnInitialize(initConfig) + // Output control + RootCmd.PersistentFlags().BoolVar(&noResults, "noresults", false, "Disable prints of results section") + RootCmd.PersistentFlags().BoolVar(&noSummary, "nosummary", false, "Disable printing of summary section") + RootCmd.PersistentFlags().BoolVar(&noRemediations, "noremediations", false, "Disable printing of remediations section") RootCmd.PersistentFlags().BoolVar(&jsonFmt, "json", false, "Prints the results as JSON") RootCmd.PersistentFlags().BoolVar(&pgSQL, "pgsql", false, "Save the results to PostgreSQL") + RootCmd.PersistentFlags().StringVarP( &checkList, "check", From 9469b1c124305cdcf20bbc6a0da8e8009daac7fd Mon Sep 17 00:00:00 2001 From: Will Medlar Date: Thu, 12 Apr 2018 14:22:50 -0400 Subject: [PATCH 02/17] Allow kubernetes version and config directory to be specified (resolves #107) --- cmd/common.go | 8 +++++++- cmd/root.go | 5 ++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/cmd/common.go b/cmd/common.go index 752a337..4b59758 100644 --- a/cmd/common.go +++ b/cmd/common.go @@ -47,7 +47,13 @@ func runChecks(t check.NodeType) { nodetype = "federated" } - ver := getKubeVersion() + var ver string + if kubeVersion != "" { + ver = kubeVersion + } else { + ver = getKubeVersion() + } + switch ver { case "1.9", "1.10": continueWithError(nil, fmt.Sprintf("No CIS spec for %s - using tests from CIS 1.2.0 spec for Kubernetes 1.8\n", ver)) diff --git a/cmd/root.go b/cmd/root.go index 76d871a..ec84682 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -26,9 +26,10 @@ import ( var ( envVarsPrefix = "KUBE_BENCH" - cfgDir = "./cfg" defaultKubeVersion = "1.6" + kubeVersion string cfgFile string + cfgDir string jsonFmt bool pgSQL bool checkList string @@ -77,6 +78,8 @@ func init() { `Run all the checks under this comma-delimited list of groups. Example --group="1.1"`, ) RootCmd.PersistentFlags().StringVar(&cfgFile, "config", "", "config file (default is ./cfg/config.yaml)") + RootCmd.PersistentFlags().StringVarP(&cfgDir, "config-dir", "D", "./cfg/", "config directory") + RootCmd.PersistentFlags().StringVar(&kubeVersion, "version", "", "Manually specify Kubernetes version, automatically detected if unset") goflag.CommandLine.VisitAll(func(goflag *goflag.Flag) { RootCmd.PersistentFlags().AddGoFlag(goflag) From 5ee7c1b0dbb9a69595c44d61881eab7d7cdae11c Mon Sep 17 00:00:00 2001 From: Liz Rice Date: Fri, 20 Apr 2018 13:02:22 +0100 Subject: [PATCH 03/17] kube-bench logo --- images/kube-bench.png | Bin 0 -> 17501 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 images/kube-bench.png diff --git a/images/kube-bench.png b/images/kube-bench.png new file mode 100644 index 0000000000000000000000000000000000000000..c13539686fe9f9ea23fc717f574e05a433341275 GIT binary patch literal 17501 zcmdtJWmH{F*Ch%BcPBVOgA<$(-2K2g5Znn4A-EF=?(VJ!cY=omcPDs)26wmKlAyxCz+lM9N~*!Yzmv#)Xa=b-5mzZ-od~~JjqFlLEIMhGkrhm z%{U)b(JCad61O7SguW!+7a#UJ_(pr78ANZdZ-YAAM)V77w_DUe5QQ+ck*iC@;;}k% zHD8H?W9n)+h4QS(mgObq`mZ*{S9r`^+~hF_E(?YNigM(whTtL2ez8Wny}9=73eV_# zou_TQTS+tlBV{I8Av-xhQJFb)qR_nXKZaSSWkK(Oj$!JW$z z^hqh%(aX;4+zGeUH9-IX;-o30>rLX`-sW|CQk>V}Ub+80i13dg4t=3djr)a@r5jat zWIEifw`8M&T&oWS`>Z6U1OUHeLlcC7ffWlAqa3$V$P`bVbV#i$-8nn*Jv}y0x4PK{Y3H2B zTrKmCJWzmYUM-Eeu#-p(<2Zb`$)fGm1THW>>=!_T?iaGzgn$Qv7ADLb8Pw2kd*=SD zQ`J)P1YmL~FzmfQPH$oDCftU0UoaEJ;J`iiI3i)o2b{^epMdER-unWV6&3(5ZO6y= z*PYC$RkB(xN0X70TwPLhX*>VQ$NjcT21$))LI|mmP|d_LWmk?8X2m@Bga#hyiD7m^ zQi^^i>pQMhQe^jVM6G9ko@4Wh1dy1O)dd#2g>U_IZx4o=nO*FaRW=tEhEBi%ICs+* zisv@_oCgU63G1%2lGw}E!vn9q!an~#p?o^k)zg~V7^7+zx8Ab64I2N3qrWc?9PLjBUa*1 z=m!BR#aN(VL;Pr8?Wt-dE>IN~5*RDJ=`sAeYh%RVwPNXJpYx&KP!8!;8PMOK%BH~Z zCe#3L)-2_nY*m`Q_gTNv9zcdgW`a@ECXbw%|IW2OTu9uWY_rD?00+1q;l+>jRgq7Z zK&;xvt94nHkn8dC_2y6Qbh|x+0WeITF_La3_HAC#2}Nd7>P%Z(>`G&60J5IK-G9P?L4==`gxZ<``^z@1V{t^8NVx=*t4JKeSUZOQMFd%32$7K9X<1fW_2>mqq*AmAxtoym;s#h7<|hKBWz-8~zaq<=dYL%}#gw+j&ef)af;lT_{;TU-NH zEKqTM%l!H=wk|YjG6MndWLm(+(z9W#a$V79U%YZuvvMz`QD-Ru2)>};J~8bS!S>h5 zvX<1uI!g)J*+Cztx|g2`Bo-JE_w^o~NmCub3Z-3Yo%KIvU>O@o&;aH)pvgT`>UmIs z-Dlxk0f6jg3Nt#_R0G_K^9e61Er0wy7zjuNJVBhKI1sK}9Tu0@Gm%iQ27Cbhe<-YG zg_Z=sU`>AdUt+jJQPR&uRbt2vNa@|=@2O6Hu9VZO`VPS8q|>ue;p$KS@Ho7Hdk1im zoTPK(@$j{UTW_!gG4Z#*NX1N+5Zh<+tZ*{Zu%~zEaR0SPzB4qIBi<6NJd_gJ#&x!= zGU*!L`;SLup+=k^owTz!h@i!R8{aU;3&c~F^nsNTBHz#>XT;?-5TFyrI=HU_H z3H-+&9=~Nj{Lyrwb{hi!mG9{fUL2;o0M&r$?P2xl0C7?b;G(eGMgP3WlW(6z@GwQD zGJ|!K#k-`^Dj}yKfGXSwR3#wt*h!Y`6y=y~5l5RhE@yliH1SOqOeb?s4~UJvU4=>X zFw@hd<{Hax8ZTl8`DFD*{=^B?znFr@hJe;qk)+??N$pzo67rcJ%v!3Wj&PkaR@C76 z*^1mmKechl3j$p*`$IYK^dmJ_rz%?p9MLo?Z%_edjbKeX80Vz3+O>K-$^Sh8=lKhn z>02>Q>&IUr;ep0>x5ETl2Eik?FU`rfa-rerj^)b=T$|rDe^Yv(_(+3bg-0eFX^hF` zKNu^Uc)KK1DNC?^mQ^Q<(sHi#FD75GZ&Q1`dF-i~l31@t^hf#9qBi3{|?jK0j0?MG_|S?2BWJ5%y(qcM|D zC1OvqSyD{?s36n&Uv0id`&0gJ&A;D`Vg_#A?oYqPQ0cXwPz+tZ>#34?wjruK?c`Bl zyhR9g<}p!7BSsh2ivff+mBRe^vF8mR{Ik9`<|GX1Td1W_;#MgdYp_->(C^A`~b4dpd5}e zHgJzIbI&)tTf*xe9x zl__FH5JY8BDuYel7Jh=m=o>Be>~PBt$mrnqp_y^Sf%MZ8^`fq%L-@S6!uZsfN|e9e zyXO^EHL+vf@7Z5qEl)j&4W`wPzmrIFlD1EqLUhj#ILF$qVIuw_#P(XvIoL`c>^<+- z+b!YD%N5ZyEPuk9wnxP69^7#iy}>9PkRvXAvT~HESx|J;(?>W$-;?tyOiZ8g0s{Gd z9&#ZCdX-IaR^pL&C_lc_f|Z$~YH-j!;Gc;n4|8 zQ$g6m>Z<9ss48!g#7Ig26g~f4b9*KP258T&O)5(yu0g;Uvg4ZpCa;+=!&t!X)-lfk z9_5~bbE9S>y!MAs%6J|zIs;sP)cNm6m5@nSZ(!CY>cOu5(&V+*CT$?VKYuC(`n(BM zW>~It#+{j8qd_p5@saVFfj9Nb5ik8S5|Kj~tqfFRzWHKskMVJ(tCHOxm6-ZlC4^cb zipWH%+1aX#zAJAYkYC3s^DX$7m;1K>@&s`9a&&Cmp}RIopf;)a;g-6t-glp$hZp$m zPW6C5o_SF&W!EMrQ~c|xa1E%u%r>+yqa)ZoN;1yW9=?G^Y^TsThh|kd}O_Gc`o^{pZ;porpYZq@Eh%75f zag$JM2hbC4AWh{xnAyX?F`Oe33v|kJeK8mpw+?)PUBjJs43|EdMSJ#m0p7vrr~B59 z9uoS3mx}K+mh-eK8sOlcoh{3-5bdbZr{`6qnHiZs1u-08CBfUI?0O{vKzWsnh zXYke4hKv6BsC(4ZkRbw`I@hkO-}2L>i@+$m*3T|xhB%h0{_gP$>UOXEFPiz%je znsA1u=jAPe61|IVh=MrimF>#~SF6mqm)-*oTIp{wB7QrmS!Ce=xw4}=<=1yW$hE-F z{OkaChXe2xX4RxvO{9ctn?G~9l!M6X<>s4G6IW^H@git=zOW)e=lD{))mj`jL>5b$ z{YUCoOHkINt<>Rw>E|`pv{~6R=a&~~^QTID8=&>PkmD!o&~Z_-9)(wXblxU_LziKEcp~Gu`DF2$R+{%!r<9OX7LfG-UWhJ%F*3 zqTEu%krZN)tf@aHEN7?BPe;Gp=x|TyK2VPXRk^Vvt!)kmVP%TLLZS|v8+eqgJmxbw zy~63!JPpc$WLx&d1lbDr>|82`BE%g09;}rJ_ueME#6io3Q zY0T_kl)t!fOsM=i4pv)my;K`;wbL(ouViM+#0U{kaHkeHY)^^2VO(lGZFF!G$F?Ta3q<(a!KoltwrwnI#(Z9vSBcigIcVF_%zE zL~#$Nk60v{9Wi^xl@@pIQLS1NOUp6Fcs$)xdn>1?lbqw#=t906pT$f$Jdh)CX@6W> z&_xA(($yfX-O8DJr|BcLo;B8xSA_Qk(3kui+&|$t;-?|5E4Q4Q0D!9CNHbHloTB81 zYSAW(`r`9bglE;KjdpWQ@(Kj0Wn%DP47&}Li`R8djq3ztp47=A!1L5~?;(#_m%e9t zo)(}Cwsm`|Q%soiYxEa7+&xYK*`Wfq$bBV%nTVh5hKW*EHE$PZBAqnoBxMY4zEcCa zm4OVRD*aK#>k`ue84xVb1w)BCE78n+DHPhv$!Vz$PHy`ITHNKY%vS#VtV6UYq?ZY$ zhZU+ocV_yp^XApC$m}*^D`Kp3xyLxrG_-rrXKPrZdeC7 zpgN*Lk#*r6N>Bb2p&Gh|>DYGVgytGInw5vUuDXIAv9~+%keitJ6Op+Gym>7d`v$wEvR^sm4uXS*lY0Q8BGL@5}#CAi9f@o zXa>&A6(I@2KI`fwP{N|syjZc9CM{jH)qCMN{s)>bV|}$i5(S)N{%KY$H1Q4q$AGjd z;WKm6r?nMq08XF`zrylD{4-*89Gr8kvWu4_J8wZh2TE zB$@zGUEa%^{eJp9YN~b9V3xlxi{;)AGp)RcWT-!6^B3Hl*B6%d^~w&Wgj z0F05N>3f+!oZ`oM%P4pvVNQO}PCxD*#xHJRb=v=4kENp&L-4F&8WvOh>HBcpI)%Q} zp_75N18tnYD1lmbd*V?lKNh|cu_!Kz`={u(taLtE+@50paO%pwk}q?mQkuWkm?vT69m#v zYo2A$p=ISUjctq;bRM4WmG9weO-fImXgrC}7~6CQr9$(H*mO|sL&_(uyM8*Zky&Y@ zoXh}&XL>ML<9T#MiEf*F?H>vO+5|Zi$AIhj{Uv2;TZ(A zhjuXl3z!^AYPxmOj`yDJVenPED#1?#MZOBr+@Q3ulXY3@P<_<)9;O)1+ZS^NYsq;x8jyA^u*l$ zBO|r&Va|HEG~210w2UOgw7KY0L|Bf$RQKBNm5ElJWMZb}?qae?EW6H6mq3fMf+3WI zJ{#SY(7&m*Ess#U=SiUN=9)TaAp+U85c#)#;uVyT+jLpq|pm-d*GjC9n~pP z#B&+k3Rg_ks9qvsERaX-@r%g!sV38q+6|f#Lo^)9Z!gurM72WKI(cUNqEHCNam>nC zgev%N+O(xnB0V#`DHGU9zZmd#9v#H#8X&-?M5iF^k9y*0R8HlqmS5C7*_C3!Bvht6 z3zwi69iz$p7tb|@T6edz=FVtQC8a8nN%dSsvHRW*r1 z3@b0(FY7mXC~nSOygy;hR0GIjw<3Hz=x+q%`!+D3-KkOLIDN8EoRcwoB`W8|a`0L9 z(t_zZBK5GfP&AR1hafKF{a^97(?S%N9Gq7=b@6E@|DL!6$r~BXCoxu!=u=0gAV-F7Ao_?P?Er7&O4i94DI@e9vB&MX- zhz~c5Tk{^o9;u`Ox^bO=L}q8#!qAcK;z;HHg%X=I=w3?|TtlwWZn?|#x_w6E{JPb< zMVM6yRvw7uB*?JycA%=#=1V|3+&H+esH;iD@TpyQ1d6$qi4!g}_^)nL(SYLQKrcuK z?)Kd&rs@Ko#b~nbT?1H&!N&SrEDLAqMEM9{KTvK5R^BDZoivl?uWVA(Q#So9FJf~Q z6xu-pr44`6>{#D!hkxB1@`P_frKZaj_>U`{}F9`tUfxcpLBCup49nWC@`_a`S<=xD5p;N$`ZkXUzBKQSKoe=FCQMm%hJBA_3 z$(W+Qlj5{RhVz?QKlBppp8N))De@fJa7bh@bO043KW@~F@(;yS^Q}Ai9IW0NIf4zM zr0pAn7ppSbw;ktbzw5|r@HYXaW`T)Xc7k&gx3q|DFH<5(SB1NKAoorCJVl4cf$rUl zgl-l2r9hK|e`0+im#$HG!YWO7eJ>n^-OsR#Or{)&xwW^CjKUQ1jMhlnuUk+5jk1uaV?pt<+edl?t2Acv z=Fp;|)>grlof#cob?%u)SDT?s1u?Bx+|SaFYV|eU$~9xf`-iB9GNpo8ZYJZQ-2wD0 z*;&p|(w{N^1&j`T_om(*W&$Z8#- zsC+c4jF%YqqCh}&=Yosq{DWr*ohajloWOT$Cg&w=2uJwp!%8`H$3Ehs!-;gS^LA4P zSi)Q0e+vPiTbFZPkY!CHp})t*hLl8AJ*?Q2TC#mcnGIlJZlEaIqDBWX5%B&@Zg@ki z2o437=3P{~cr0}QUmB)Jgm+;c#p06}G{}J6;G?nql=CuZdpF&y66~W>2>k(hd#fdzk-~3`*cqUB z7Tz{691fD4bJO2QfIJXW#&>WhKF6M7?k7L1yd{UcdA*;DNrK61MAKOZT_C?WH{MiK zV4o4tW*t!3!BbArlpJ{Nq82@3Q_yF{+TBlWH@berlIc0m;_!D>_L`plkyb3Y7;yOm z(he)Hh1|kh4BY^L7ZX`Yo&SyHKbyF<=iLP5HHxvYRmUrcy1T+(H6>vuI>P3R2d=vhP;jh4H zAPEse7)gkf{WJrZImq`X%}H1zavGZW^Dz7k2>w>=kb-}R*u`IB2_yfzD3j5r3y3Ql zWS}1(ofFdDrZMCL^J57#vD_82u$62C@R`1dqu4qUA~I-D`Aus7EEL%Bwz8suMhhOe z6<=+Pr}Sc-69Cbe;~HWVR0OO&U^?!9yQ)sb6tuQ9c&3mj08X-Q%Ll5_XEB@WW1=^& zpC2aWx?0A>6bOsTc{T=Thyz7*cnFnjGlc?p#Xw>V7!5p?X)7F};t-(%AJ&UOC~Q0Q ztPJsWq31GXa?xmcS*{qc&=_!zq$z>A$QOHCVuE(vw(D1Huqa^VThTJ%sZ+Ec=4mcc})`ET{A7 z{jksl|2$KX*N!57j*yj}ssG@DcHo!e54)Rg?eIRbrchK5f3=_^NM$%FZA2fa=21RG zk%u!ZwyA6YU{u^XXfquDP?~re>>>*4`bn0)tQKBGVgfYhsLVi`!W6Q7VroQrU^uSG z?wKMD6uIUuOTBBY4-m-A`I8d1UDI@on-$z;*>UcZRE*3dIqBPEOaFF&447f|O+9FY zWppaDT{ynD4L1x?7LsE_3_A*8jcwok+{JD;i@V)gP*)j82de!Hv~|UWwMb|WBwGBm zZ4taPbj6BrNJLy}>SgGi_uqb3A$ektP_k4yKQwWkl+c{vV!4Xr%Dn+kwe`G;Hil( zBKGWjgFXO*@;|g`jkm#)9&lUUpMGx~otc+bJN6~VpH--3->6hAg=Pprec{vg>mC!A z)0M_R2rDv^=GF!$tCAY($AjS<2C>gSvKawEFJ3nK|xiX*ftT`FetLrbgVq!Bf8~F>ESotb8RpKsGOjI!3NLg&hLy zx#D^x!_dXoZ{C6_3*tAa%0uWGaj<~pR_~2jOB(IPoGho0QvcTnI&5G+j8@Dq&PXle zkD+UByeO^X-}=17_luWg{(D{=J|lR z1uE3OZ=`G;!344zOf_Th6KEXxdap`N3SdSeA$92D(fHQ#^;bQnk`J7+%a4i8XU+BBfvLB3mk%2v}%eTe+y@`xQ^AwXrB{s_iH2$z+2t|DGhV728 zwLFWVZSvu0z?PIG94RPB4&($ZEF$aaJ!@exwSdjRxmIIaHV$qee&9G+bD|3NB@mu}+6JYDc!1s=?v`Y0E0IK*eVv~dv1%aCJ zRH6g4g+Hc~^H!Z$mqX}+1K#ieJOCz5Q*vYwClGWZ#N)<2(WFxgq zb@XV@Mi9*Uo!zg+tO(%w2gd&J~!C)20(9On)E(pB20v4@w#MxjDb+ zMA6^JG7!f`h|2<}>wY|PFoiiwpiK+KV2pL}8W=cLzLiG5)1wDKMg>RF`-fL(1%a^u zgs*ad$fNx%%UZ4buNJzn0mi7qCA_9L!B^%3ASgi`uML(X zHi-gOHf=q%v@O9Fufadk|N23VD662T_gMKO<>LyI8?nq^%t~_igX94DH+vCvkI43! z9T^8WwluC2#t-7|Bia6Wo@n7$#*=eMqlO49lS5R%I&*;TMFD#P@$tO-Y)-f#rkK%gvb&VZ)1C7k8OGaQ@Z^3(rU#WJNq~$fVfiH!kx?GG4Fy{YeEzY1sga1 zF54_m$EqgR;ANb~Zn}B7XKFqe`Gq4c`d3T%*E`Oj-Hcc%nq<3|xIC;(){Z`ZigIfZ z^6Mj{ktKnnY#VaTA&M;)`MK}sliW9LEH!+X1Rn@2s4;#d*7*V&y<5|8uNndA58OG9 zQ@}%;;?&mBEyav#tc76kflwsjls*Qb($g9JQG6VcK?b3IyKXy)?fH=hm5<}l7CZ}( z_D}TJ6#eViZj0SMnNxf3aF^o=V~oJxdqHLwJ6A+|W4zqwywe-j780BEG}tIk-;>y1 zy3AK<%PB*gdkG^jm$~spm6liAou*<~Y%Qgw{&qW#w?AoRj5u)+=ys$8O}I3Ellzcb z%*;WY!YRXWu&J3QZU{V}+MhCTayAAm_Wt~04d@~)nu?X$9cK+#D(e~u2>Fdpkf;3_ zCkNu9Bv8iTwM-|`WFQNxy0WX+PH9kYZ_8@@`VLjg_+4o;RapeklABf&3bl^JpL@Hbo*VolkO3 zy$oC*e8y9t_}G6XVuv8*vjG7Q4{878$9m`K(gO`u@B~D4Rxw53uaBL;{5SF6JB1TJ zb-uEo=(6bVZcn@2YFW(w{Rf}gj|&Kt!ifkn=AU5=7+|f?ma*gwF|+-a#I9MOD2E2BWzq{k z31g%Z&PXly!4kHz^q`wAQY)4Sp%3;SWY=D;i~7B)9+f}eBgDR;>jsmi5MegFY^2Pi6yIw;kkP- zGq5Bwev|fR$h_4fWz)Jp!h_kD`8On2bm6H#>siAzdUg5ap@RlxTM%hxX${s9nWZ*t zaGt}$&z>3uSUXU3g*dUrO_uglgnuD|JYT`0P(*qiX&{iaiB`1m#-l3eSten{RsSJX zp+PAr>W?{$?ew$y>Mf~)+{x055$C7Pz_fYRdJav#ElW7rVM8A5oQ*9UNu@}BQ9DcZ zWu!^xGMBs}Lk2DjIN7)&Hs5LDx9jH}63Oa-bY1_ktP?GCgEdq!dL-; zU*?}#y@?iDH%@eBFGN^t!vus5gI7BVT^y|Psb2&aP2H2BVz`>HGvfqP1 zP{XKN?vAH^|9y~XoX}5WAwt1O6{adXL@A{NBu^nx-#vZb^FJ4fo_YR`@H1N7*whB&X>>HpqP`BdnH0fZKdVtmi$WNCw=Rq~3=tS8|7 zwd9$a&vU_l>-0!_X)Ut_0LC` z|2+Ns@!zNaeEfe`?7ubt*V^BX{KxL!rvA6ZL^)GpLyFtnPS!rZ&_lwac;|Ef<$imz zP(h7&m_kuP>9O-N$Xjfp&cx2`(Ke!Swu zcRjeZLyQbP@MqFjk?G?T@)6ya_4E{^5iCekRtymG%*s!UD=fl$EIiMA&5VI?QfisR zGjqu`O)lu70S+-QX4lV+lez?f=e*}zo8p6NV>&v7v4EZTD5*AI7*QITsB^axsI{V` zL)|Qk2AY+tYtv7hqih_($z|`DlZx+;40O+nT`{Cg3f&Ru)ZaV23&!s**M_U{8M`j_nd_^m0yH2q!|aWV_q?j?&O9 zx+;eMnoWqn894TV+1n@jhfDuJD31s5=zoRu|4bFpv{W%X#jWd;b-R;V0Ho`OWi`49 z0rbn(R#BlsGRcD) zYu&(Ta}4wQnu#p)vfFxI5hj0aZ~cSSCy5&_Rayl_MbEq4NK#7G8Xivkw}OHUSjedv zSi)b8mRlM;W{i(kl3QC_BYnb=mZdPmU`rvz8e4vv-)73*%Wx5Q!z-j`^Q(GM99dOO zhEkKB+AwRd7}OXCV%*}imrcxEfTM%7wM|30qtNdx7Gx0PBMP&!C~k^f9o`Zvb519- zXw`mDYGu2UMI2jc&qTs>QhH3nAmuGV*SlG6T0K165n#eH*csS#Tp8H|wA0yEg;{V8 zdMmkLqx)6i@IZ04PtpDpE_AVe=MAgU?-SP3+r=jPvbS#v=n93@I}}J9YqcDdqS3uC z;xZ=fP7kkE?g;Rv)F~t=q}wQaZqKGH*=yf&%1EN^%|3h{j1CQ;^DS}<<8&*)Bk1gR zrrVT2uh^H8!6LifG3^{DI)!jn794#?XC)Tk+#HHBPpwWwl&=14zOd)4M~CBf!Is5I zG+S|3d(V{yOKhXqf|9gv6HOR?#{~@G_ zaL^0;_Z(XZ=Xtj8W8i>(8+-SL?ayN#OV~&W@dEEtY4MlT`l~YRB~|T>opooM-)!l~ z8J3GD=;8)y&BxHX_B&SkJdeAAnT3M9a)z%MN4w9-Svo_A=j(TLJd(Ah_`Wqujff~HhT2GULE?kOn!`foolDU0S8sl=y${Y%yW-mkb zpbARMeeoy6hJ}0Wym5r_Z+Ok9Wd*;Gx!Fa3NmT+J;4(b9OnQvJRiJ;^N{oEq?w16Cde(N~&x^p8`1r z#4}oa5iL)Z=0k|=)#21oig|fv^*q7!B;2M}kAubz9=?)G%69qNrv|Sfd>-`^F0W9H zm+nb7TxJtF%WRA9q`YrKkT&(WE4h|>QQo!4@7jG_UT5!?o)k27G+&c=` zB8LAwXJv0$lJ_cE1sSHLNg`MFp*|+74*xADw}cFL=CrzKIK-`O*zZqQDw?jo*El_ z`aGcvM4(njaL8)@)aB*n7y7PRydJb=Y8wXx@|PHX@-1AYYqtIOyZc`ATN7pj)aoay zCK+g#O~v&Q>MAJ}(*Ye(%8s4QQNYb-VTEE^m5DVsWm=~6>-4TJu{Y8_$?|s65^W{5 zP5@by0$)9l8VYP~RoGZrrCpOImVYsmQND&SO&nh?E;CuGcvYAcSAYEd9nf1kc5{xO zSzW1I-bv;^G;E~d)jP?r8qygMwWkw83PNYGD{y;IEsr4Z>a-)t3T#2wT}Yi8jAIIZ z+otJ;T!m_^bubCr5JmP(BA-$zPI9mJ@z zp?1V(po4`AJ^O5Rij@OFspU8}-ukXz9|YJQEVJ1>*S_4?$|drZCa4$Tp4w0h`Kh6N zDJ13fs;E0NYj+*-zM;0BtxuluY`PB${SXnMn33B8JKK@L>F{a(Jbs|r^=LIz*PWm6 zl&jT6NZlE2F4>ggT}i3=q)gZ*lI~)Kupvt)SI%XJ$^d0F`NCvqugNJ_N28I4N0ilx z)P{oV{?DS*nNzMw*Im-+ux5~#r62b+kUGTsCM_d7^!?5f8oP1sD#PS5=*WB*ARph- z3K#Yu><(tSPf1|Fk5?OLNos?o0sOVweKZ06N#%KoZJb-bte24yreWiugkrCp!Jlj9 zam};^ULe-+mOYRbkT*RKQ&&4jUbd3*fp3seXdQSfr$@64ORTUukP_PqVa)sW*0w{L ztoEwR$6xDV3$b*{4?a$`6tt=e4UpkQOdRF^sKg2x9#zCyTM` z^n-j;siQ0pf$yyS*DtpiucI02$!c_ckg9)bIKN*v4vksf&N{pCmhFKpvTj#PL+)87 za#lT|yKh!o${-y3rsssX&|C6a?{Mqm^@oJ0yOpcQ+4rt{wg3@HeWI0TnsU_?f4v1` z319PE_@ErwG&WUX8d4L?*`g?=(kg@*BJ6nSHCAremR#voa~@gG`DmRm{BX_gkLVZm zbELc>xLBQRSi;iv{K={!;621buqTmK0xU$w?&O)haU{3kIg~V8$;ObL>!yxZtPk6v!d-c1Ni}&{f z$H_w4+JuNn@eS5PMs&~3cnW8wGa{*MHvFJ&I}Q{7J8eg zDn+Gc5$xnFYmy5zRF^^XU@2t z)z(gi)lS0^oAF!C2lHi-3Ph-G->WqGd8XU!1Ru2?zoGg(C%XFxYWw1=?3_(?EbL2| z_QqJvEr zte3BUc zb(I%rgt$4V!GsZn+=QtE-&635zvR`$$XnIjEYxBiCwAh0>#=yJ{OODwPSgc~=VK9@ z-N0WDaj)!(<5T|l+J_7r6^l@|gi`flJpRlu> z_h!=sS&r3D5n!+(;m3(t*ql;@;`UvrDy7wyQzivc(@nDm;xsV+B#eF0lnh>!Ocjzs zkAQlqSiU>LCr`xMkgpf!(X&$FmFdT~{2I&@9yEXnt%_U%=E0QM#q(c7)b>Arsk5|0 z9?3)|Bwi6opk zc`}wBd_Uw|TeXFi4v+O-nXfoV$fe5ZUrqWNqoVAY^dn*kY+YUXJS7Ljx!Gw_?Wcmv zj~t9%B^I2a1847^Lw2Yn%)!sg#x$nG)+7B3asgE^wGXh$6l0C9`uXJrQVY7C0tRJM z9MyFEHeDqLn2_JGC|Vl$eX$`bW{6gC=~G*7t!}FPcaQ+%$uTdLeaPzhNO)0g1Fef1j(%#+?lpj%$i*U~E-zgSG&EJw4u&QdhPHqz^FsE#RSM*pHt;K^Rq2hAiyMOg$9-OTD{eYlaYZsxrmu56%m@+!S6(3tYZOKb|8`X*PAq68tWgia@0As4ud4uv^apJQhkLE*<(A$#c zW~~XzPmUJBzTh2BcdZ>k_to>j#|q8gG}jVa{;S^FmO@AR*m&JrZR{URx7B;F%XOMG zyoV3w&-~FXqJO-f^D5DyPCd?3tJSE4lqd+xQ>YN?^X}JwozHJ+@$mo_|0k6!^iygM z@m~IymopS)louM#2t1l<20Kxem6ZeQVvo}LrU28`KypfNrSz3B5 z6rT<(FC#T`M&%^Q*c3)!NlmfG&+=4dF;^6JM8w`#qkG^m#qJK2ao>2>AQQ4hcZ(z< z5iV=j6?ylBZBjcQ?#C6AlePVvay$np^&sp5UCNrnPdrjHARDT?I6t@fSuN&Z$*jUW z#u6p2HMgiIz{AH^n4{_6I`ir~&0%;1-;Q8Y=u)ZUqy;AtT)9ZwqE?5(vN=J(%7nwx zkDiQ2>C@ptk$%E`>4M21PTJ{qm%|OJ68$1w`t)1< z_>_wV>&|_nhX>3nIhR~Pu{S)_;v_%vOSM%j9Sv6Lc6~Pb33upgF7j@blzMKz9=4bp zlY;ie8Ifja?kW?ihJ<(Ud z^RnF7G&_P!E1{VF;)^2TNtoA7dEw4DjS^Fx;c3yyuV040{>X}gm@&sI*(fbNvwd#o zfqjxQY)Eg6fh2po@3%zhPOc|66xPxsyO-B39T_-~yiGlf5Y>xK$4SV7$_m{#_d0H9 zS^2BZPE4)f;N;eu zEMwzU>}lN@gcx?D*~Ml3)+E^N7gB}z%Y_@QfkR+|!i4M-^+-*@U9FGt{#D<#NScp2 zJO>sda+p#P4dl**Fju-b89MP?S6H18Rt=dn2rrk6nmReE40NV zukNVPfCIVY*pzTN@EGh4@4rWH)Q=60l?fY`42!0Vw#t>#uoQBwxA49G=AxT*|T%c8)@%&i%|}PT#X)?N++iSY>Pi z_`@;#d+c#vMer@};GT-Ufs6CQ^t#FB`_f7=BqXHvvn;Q>Mc?0pp)ZTry?4SHlrxZ1 z+XnQG8|v%7G^HFi7eyc)T(I&rVqlzaR2Qe-+$LizdI`jKVNE4G?5|(}0>9-eH zU&v}WK~D#(D`$4UMV`(?Fh0E0qm=q!@e<5cNC&JZ*eIDF3Qy0Baobtrj)7l@7wP_{ zy%<4X;y~87B~_Z<+^QB+!R_j1u2iG}>_;-wt;OMNxkmR?+++VrYSH@WIPZ{3a!)vNlIE}5CkTFi8bW1`N|J3TC8jo%8n_s8I^Ry=SlFUGjey;PuErGDU9 z#+bBd)m_T)pB(Co&IV;*Y8P3}uc4mm=Z%xZtE=y_xcf}ll);_iQI*7F{ONYd9)5j5 zuY~LNIlFlrC+!7(UP-zDcZ`)3YQL(BMYt*ddD_(g}W)IYeF;x zTM!Y+Wqv!@c)Zbfwm3a|oBSEcZx7d!IGDtsxIWT%f~GyzbKJt1#;8^uwchSj zmyq?`VoD*CJwv_Ds9XA*&FB4nL#~GZpX~Mjdl2yN)4!X`|33ZaRO7!D`+t0Jk#zQi b@De7I#y$B+K`s->ZDHi3lqD<04gLQIwmU4q literal 0 HcmV?d00001 From f065893f52b3de19699a71d8a1b1d70da6246561 Mon Sep 17 00:00:00 2001 From: Liz Rice Date: Fri, 20 Apr 2018 13:05:30 +0100 Subject: [PATCH 04/17] Add logo to readme --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 1c1369d..10ad8ef 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,9 @@ [![Docker image](https://images.microbadger.com/badges/image/aquasec/kube-bench.svg)](https://microbadger.com/images/aquasec/kube-bench "Get your own image badge on microbadger.com") [![Source commit](https://images.microbadger.com/badges/commit/aquasec/kube-bench.svg)](https://microbadger.com/images/aquasec/kube-bench) -# kube-bench +# kube-bench + + The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark. From cb4bec9120568e4aca4e9fb00de73eba078599d3 Mon Sep 17 00:00:00 2001 From: Liz Rice Date: Fri, 20 Apr 2018 13:07:49 +0100 Subject: [PATCH 05/17] logo instead of heading --- README.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 10ad8ef..8044422 100644 --- a/README.md +++ b/README.md @@ -3,11 +3,9 @@ [![Docker image](https://images.microbadger.com/badges/image/aquasec/kube-bench.svg)](https://microbadger.com/images/aquasec/kube-bench "Get your own image badge on microbadger.com") [![Source commit](https://images.microbadger.com/badges/commit/aquasec/kube-bench.svg)](https://microbadger.com/images/aquasec/kube-bench) -# kube-bench +kube-bench logo - - -The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark. +kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark. Tests are configured with YAML files, making this tool easy to update as test specifications evolve. From 033245f71c05263f8e8c938563d45f62ff5f3a5a Mon Sep 17 00:00:00 2001 From: Liz Rice Date: Fri, 20 Apr 2018 13:18:55 +0100 Subject: [PATCH 06/17] logo in svg format --- images/kube-bench.svg | 121 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 121 insertions(+) create mode 100644 images/kube-bench.svg diff --git a/images/kube-bench.svg b/images/kube-bench.svg new file mode 100644 index 0000000..ba64a9e --- /dev/null +++ b/images/kube-bench.svg @@ -0,0 +1,121 @@ + +image/svg+xml \ No newline at end of file From 3560bbbbfa3aa4ab0e1691a184ca050de658634f Mon Sep 17 00:00:00 2001 From: Will Medlar Date: Sun, 6 May 2018 13:35:23 -0500 Subject: [PATCH 07/17] Allow kube-bench to be run inside its distribution container --- Dockerfile | 26 +++++++++++++++++--------- hooks/build | 0 2 files changed, 17 insertions(+), 9 deletions(-) mode change 100644 => 100755 hooks/build diff --git a/Dockerfile b/Dockerfile index 10f1676..d564612 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,13 +1,21 @@ -FROM golang:1.9 -WORKDIR /kube-bench -RUN go get github.com/aquasecurity/kube-bench +FROM golang:1.9 AS build +WORKDIR /go/src/github.com/aquasecurity/kube-bench/ +ADD glide.lock glide.yaml ./ +RUN go get github.com/Masterminds/glide && glide install +ADD main.go . +ADD check/ check/ +ADD cmd/ cmd/ +RUN CGO_ENABLED=0 go install -a -ldflags '-w' -FROM alpine:latest -WORKDIR / -COPY --from=0 /go/bin/kube-bench /kube-bench -COPY --from=0 /go/src/github.com/aquasecurity/kube-bench/cfg /cfg -COPY --from=0 /go/src/github.com/aquasecurity/kube-bench/entrypoint.sh /entrypoint.sh -ENTRYPOINT /entrypoint.sh +FROM alpine:latest AS run +WORKDIR /opt/kube-bench/ +# add GNU ps for -C, -o cmd, and --no-headers support +# https://github.com/aquasecurity/kube-bench/issues/109 +RUN apk --no-cache add procps +COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench +ADD entrypoint.sh . +ADD cfg/ cfg/ +ENTRYPOINT ["./entrypoint.sh"] # Build-time metadata as defined at http://label-schema.org ARG BUILD_DATE diff --git a/hooks/build b/hooks/build old mode 100644 new mode 100755 From 07146833716e92000608b399f615d63dcdac53ba Mon Sep 17 00:00:00 2001 From: Will Medlar Date: Sun, 6 May 2018 13:43:47 -0500 Subject: [PATCH 08/17] Modify entrypoint to allow execution of kube-bench as default --- README.md | 27 ++++++++++++++++++++++++--- entrypoint.sh | 27 ++++++++++++++++----------- 2 files changed, 40 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 8044422..f683277 100644 --- a/README.md +++ b/README.md @@ -19,10 +19,31 @@ kube-bench supports the tests for multiple versions of Kubernetes (1.6, 1.7 and You can either install kube-bench through a dedicated container, or compile it from source: -1. Container installation: -Run ```docker run --rm -v `pwd`:/host aquasec/kube-bench:latest```. This will copy the kube-bench binary and configuration to you host. You can then run ```./kube-bench ```. +### Running inside a container + +You can avoid installing kube-bench entirely by running it inside a container using the host PID namespace. + +``` +docker run --pid=host aquasec/kube-bench:latest +``` + +You can even use your own configs by mounting them over the default ones in `/opt/kube-bench/cfg/` + +``` +docker run --pid=host -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest +``` + +### Installing from a container + +If you want to install a pre-built kube-bench, you can copy the kube-bench binary and configuration files to your host from the Docker container: +``` +docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install +``` + +You can then run `./kube-bench `. + +### Installing from sources -2. Install from sources: If Go is installed on the target machines, you can simply clone this repository and run as follows (assuming your [$GOPATH is set](https://github.com/golang/go/wiki/GOPATH)): ```go get github.com/aquasecurity/kube-bench diff --git a/entrypoint.sh b/entrypoint.sh index ad28fbf..43420e0 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,14 +1,19 @@ #!/bin/sh -if [ -d /host ]; then - mkdir -p /host/cfg/ - yes | cp -rf /cfg/* /host/cfg/ - yes | cp -rf /kube-bench /host/ - echo "===============================================" - echo "kube-bench is now installed on your host " - echo "Run ./kube-bench to perform a security check " - echo "===============================================" +if [ "$1" == "install" ]; then + if [ -d /host ]; then + mkdir -p /host/cfg/ + yes | cp -rf /cfg/* /host/cfg/ + yes | cp -rf /kube-bench /host/ + echo "===============================================" + echo "kube-bench is now installed on your host " + echo "Run ./kube-bench to perform a security check " + echo "===============================================" + else + echo "Usage:" + echo " install: docker run --rm -v \`pwd\`:/host aquasec/kube-bench install" + echo " run: docker run --rm --pid=host aquasec/kube-bench [command]" + exit + fi else - echo "Usage:" - echo " docker run --rm -v \`pwd\`:/host aquasec/kube-bench" - exit + exec kube-bench "$@" fi From 1cff0c4da1c56b9e4da6bb15473a6326a509eb8b Mon Sep 17 00:00:00 2001 From: Will Medlar Date: Sun, 6 May 2018 14:01:49 -0500 Subject: [PATCH 09/17] Clarify that only Linux is supported when installing from container --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f683277..4521183 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ If you want to install a pre-built kube-bench, you can copy the kube-bench binar docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install ``` -You can then run `./kube-bench `. +You can then run `./kube-bench `. This should work for any Linux distribution, including Alpine. ### Installing from sources From 3eb8a08a9de6e913b435759f8fa2acba36719498 Mon Sep 17 00:00:00 2001 From: Will Medlar Date: Sun, 6 May 2018 21:17:38 -0500 Subject: [PATCH 10/17] Freeze alpine to tag 3.7 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index d564612..a17c1af 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,7 +7,7 @@ ADD check/ check/ ADD cmd/ cmd/ RUN CGO_ENABLED=0 go install -a -ldflags '-w' -FROM alpine:latest AS run +FROM alpine:3.7 AS run WORKDIR /opt/kube-bench/ # add GNU ps for -C, -o cmd, and --no-headers support # https://github.com/aquasecurity/kube-bench/issues/109 From 0c52ace48fc3df1af5885aa746d7f8d19a96113b Mon Sep 17 00:00:00 2001 From: Will Medlar Date: Sun, 6 May 2018 21:18:47 -0500 Subject: [PATCH 11/17] Install binary and configs as the default behavior --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index a17c1af..0a0fbad 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,6 +16,7 @@ COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench ADD entrypoint.sh . ADD cfg/ cfg/ ENTRYPOINT ["./entrypoint.sh"] +CMD ["install"] # Build-time metadata as defined at http://label-schema.org ARG BUILD_DATE From 7460037528a266d0dc2dbb7b5c2ed17c1920d18f Mon Sep 17 00:00:00 2001 From: Liz Rice Date: Fri, 11 May 2018 12:47:04 +0100 Subject: [PATCH 12/17] Add link to releases page --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4521183..37fbc72 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ kube-bench supports the tests for multiple versions of Kubernetes (1.6, 1.7 and ## Installation -You can either install kube-bench through a dedicated container, or compile it from source: +You can either install kube-bench through a dedicated container, install the latest binaries from the [Releases page](https://github.com/aquasecurity/kube-bench/releases), or compile it from source. ### Running inside a container From b26b23e573ae98db057ee32adb10935306249ba0 Mon Sep 17 00:00:00 2001 From: Liz Rice Date: Fri, 11 May 2018 15:39:11 +0100 Subject: [PATCH 13/17] Script needs to actually install kube-bench & its config! --- README.md | 12 ++++++++---- entrypoint.sh | 4 ++-- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 37fbc72..ab62ef9 100644 --- a/README.md +++ b/README.md @@ -17,11 +17,15 @@ kube-bench supports the tests for multiple versions of Kubernetes (1.6, 1.7 and ## Installation -You can either install kube-bench through a dedicated container, install the latest binaries from the [Releases page](https://github.com/aquasecurity/kube-bench/releases), or compile it from source. +You can choose to +* run kube-bench from inside a container (sharing PID namespace with the host) +* run a container that installs kube-bench on the host, and then run kube-bench directly on the host +* install the latest binaries from the [Releases page](https://github.com/aquasecurity/kube-bench/releases), +* compile it from source. ### Running inside a container -You can avoid installing kube-bench entirely by running it inside a container using the host PID namespace. +You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace. ``` docker run --pid=host aquasec/kube-bench:latest @@ -35,12 +39,12 @@ docker run --pid=host -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml ### Installing from a container -If you want to install a pre-built kube-bench, you can copy the kube-bench binary and configuration files to your host from the Docker container: +This command copies the kube-bench binary and configuration files to your host from the Docker container: ``` docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install ``` -You can then run `./kube-bench `. This should work for any Linux distribution, including Alpine. +You can then run `./kube-bench `. ### Installing from sources diff --git a/entrypoint.sh b/entrypoint.sh index 43420e0..771b32d 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -2,8 +2,8 @@ if [ "$1" == "install" ]; then if [ -d /host ]; then mkdir -p /host/cfg/ - yes | cp -rf /cfg/* /host/cfg/ - yes | cp -rf /kube-bench /host/ + yes | cp -rf cfg/* /host/cfg/ + yes | cp -rf /usr/local/bin/kube-bench /host/ echo "===============================================" echo "kube-bench is now installed on your host " echo "Run ./kube-bench to perform a security check " From 1935c952d653613b0c7a6eea75ad5b3486fae7f5 Mon Sep 17 00:00:00 2001 From: Liz Rice Date: Fri, 11 May 2018 16:03:03 +0100 Subject: [PATCH 14/17] --request-timeout is a duration --- cfg/1.8/master.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cfg/1.8/master.yaml b/cfg/1.8/master.yaml index 170c89a..fa1d1a6 100644 --- a/cfg/1.8/master.yaml +++ b/cfg/1.8/master.yaml @@ -610,7 +610,7 @@ groups: remediation: | Edit the API server pod specification file $apiserverconf and set the below parameter as appropriate and if needed. For example, - --request-timeout=300 + --request-timeout=300s scored: true - id: 1.2 From 7823ca388c7822a3782acd5021b4944b080bb560 Mon Sep 17 00:00:00 2001 From: Will Medlar Date: Fri, 11 May 2018 13:44:04 -0400 Subject: [PATCH 15/17] Set -e to fail fast --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 771b32d..b06f083 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/sh -e if [ "$1" == "install" ]; then if [ -d /host ]; then mkdir -p /host/cfg/ From 39d94df81b78df8fec427e4b487455f4977892c5 Mon Sep 17 00:00:00 2001 From: Jeppe Fihl-Pearson Date: Fri, 11 May 2018 18:58:24 +0100 Subject: [PATCH 16/17] Add tip about the `--version` flag to error output If people are trying to use the Docker image to check their cluster, there's a big likelyhood of them hitting the error message saying that either `kubectl` or `kubelet` need to be found in order for `kube-bench` to be able to determine the Kubernetes version in use. This adds a tip that the version can be specified manually with the `--version` flag which is a lot easier than having to make a new Docker image with the right version of `kubelet`/`kubectl` in order for `kube-bench` to work. --- cmd/util.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/util.go b/cmd/util.go index 7b8e9de..ab78945 100644 --- a/cmd/util.go +++ b/cmd/util.go @@ -219,7 +219,7 @@ func getKubeVersion() string { if err != nil { _, err = exec.LookPath("kubelet") if err != nil { - exitWithError(fmt.Errorf("Version check failed: need kubectl or kubelet binaries to get kubernetes version")) + exitWithError(fmt.Errorf("Version check failed: need kubectl or kubelet binaries to get kubernetes version.\nAlternately, you can specify the version with --version")) } return getKubeVersionFromKubelet() } @@ -240,7 +240,7 @@ func getKubeVersionFromKubectl() string { func getKubeVersionFromKubelet() string { cmd := exec.Command("kubelet", "--version") out, err := cmd.CombinedOutput() - + if err != nil { continueWithError(fmt.Errorf("%s", out), "") } From 9810bafabe9f0f38540174283d0f0616271a8560 Mon Sep 17 00:00:00 2001 From: Liz Rice Date: Fri, 11 May 2018 19:49:11 +0100 Subject: [PATCH 17/17] Adding a test install to travis job --- .travis.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.travis.yml b/.travis.yml index 9528ceb..16d33a5 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,11 @@ --- language: go +sudo: required + +services: + - docker + notifications: email: false @@ -16,6 +21,10 @@ install: script: - go test ./... + - docker build --tag kube-bench . + - docker run -v `pwd`:/host kube-bench install + - test -d cfg + - test -f kube-bench after_success: - test -n "$TRAVIS_TAG" && curl -sL https://git.io/goreleaser | bash