addressed review comments

1.Implemented IsRKE functionality in kube-bench 2. Removed containerd from global level config and accommodated in individual config file 3. Corrected the control id from 1.2.25 to 1.2.23 in master.yaml(k3s-cis-1.23 and k3s-cis-1.24)
6 months ago · bf258a6b4f
parent a8b67faba6
commit bf258a6b4f
6 changed files with 134 additions and 12 deletions
--- a/cfg/config.yaml
+++ b/cfg/config.yaml
@ -28,7 +28,6 @@ master:
      - "apiserver"
      - "openshift start master api"
      - "hypershift openshift-kube-apiserver"
-      - "containerd"
    confs:
      - /etc/kubernetes/manifests/kube-apiserver.yaml
      - /etc/kubernetes/manifests/kube-apiserver.yml
@ -47,7 +46,6 @@ master:
      - "hyperkube kube-scheduler"
      - "scheduler"
      - "openshift start master controllers"
-      - "containerd"
    confs:
      - /etc/kubernetes/manifests/kube-scheduler.yaml
      - /etc/kubernetes/manifests/kube-scheduler.yml
@ -74,7 +72,6 @@ master:
      - "controller-manager"
      - "openshift start master controllers"
      - "hypershift openshift-controller-manager"
-      - "containerd"
    confs:
      - /etc/kubernetes/manifests/kube-controller-manager.yaml
      - /etc/kubernetes/manifests/kube-controller-manager.yml
@ -122,7 +119,6 @@ master:
    bins:
      - "hyperkube kubelet"
      - "kubelet"
-      - "containerd"

 node:
  components:
@ -156,7 +152,6 @@ node:
    bins:
      - "hyperkube kubelet"
      - "kubelet"
-      - "containerd"
    kubeconfig:
      - "/etc/kubernetes/kubelet.conf"
      - "/etc/kubernetes/kubelet-kubeconfig.conf"
@ -208,7 +203,6 @@ node:
      - "hyperkube kube-proxy"
      - "proxy"
      - "openshift start network"
-      - "containerd"
    confs:
      - /etc/kubernetes/proxy
      - /etc/kubernetes/addons/kube-proxy-daemonset.yaml
@ -237,7 +231,6 @@ etcd:
  etcd:
    bins:
      - "etcd"
-      - "containerd"
    datadirs:
      - /var/lib/etcd/default.etcd
      - /var/lib/etcd/data.etcd
@ -265,7 +258,6 @@ controlplane:
      - "hyperkube apiserver"
      - "hyperkube kube-apiserver"
      - "apiserver"
-      - "containerd"

 policies:
  components: []
--- a/cfg/k3s-cis-1.23/master.yaml
+++ b/cfg/k3s-cis-1.23/master.yaml
@ -687,7 +687,7 @@ groups:
          For example, to set it as 100 MB, --audit-log-maxsize=100
        scored: true

-      - id: 1.2.25
+      - id: 1.2.23
        text: "Ensure that the --request-timeout argument is set as appropriate (Automated)"
        audit: "journalctl -D /var/log/journal  -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep"
        type: "skip"
--- a/cfg/k3s-cis-1.24/config.yaml
+++ b/cfg/k3s-cis-1.24/config.yaml
@ -1,2 +1,46 @@
 ---
 ## Version-specific settings that override the values in cfg/config.yaml
+
+master:
+  components:
+    - apiserver
+    - scheduler
+    - controllermanager
+    - etcd
+    - policies
+
+  apiserver:
+    bins:
+      - containerd
+
+  scheduler:
+    bins:
+      - containerd
+
+  controllermanager:
+    bins:
+      - containerd
+
+  etcd:
+    bins:
+      - containerd
+
+  node:
+    components:
+      - kubelet
+      - proxy
+
+    kubelet:
+      bins:
+        - containerd
+      defaultkubeconfig: /var/lib/rancher/k3s/agent/kubelet.kubeconfig
+      defaultcafile: /var/lib/rancher/k3s/agent/client-ca.crt
+
+    proxy:
+      bins:
+        - containerd
+      defaultkubeconfig: /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig
+
+  policies:
+    components:
+      - policies
--- a/cfg/k3s-cis-1.24/master.yaml
+++ b/cfg/k3s-cis-1.24/master.yaml
@ -686,7 +686,7 @@ groups:
          For example, to set it as 100 MB, --audit-log-maxsize=100
        scored: true

-      - id: 1.2.25
+      - id: 1.2.23
        text: "Ensure that the --request-timeout argument is set as appropriate (Automated)"
        audit: "journalctl -D /var/log/journal  -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep"
        type: "skip"
--- a/cfg/k3s-cis-1.7/config.yaml
+++ b/cfg/k3s-cis-1.7/config.yaml
@ -1,2 +1,53 @@
 ---
 ## Version-specific settings that override the values in cfg/config.yaml
+
+master:
+  components:
+    - apiserver
+    - kubelet
+    - scheduler
+    - controllermanager
+    - etcd
+    - policies
+
+  apiserver:
+    bins:
+      - containerd
+
+  kubelet:
+    bins:
+      - containerd
+    defaultkubeconfig: /var/lib/rancher/k3s/agent/kubelet.kubeconfig
+    defaultcafile: /var/lib/rancher/k3s/agent/client-ca.crt
+
+  scheduler:
+    bins:
+      - containerd
+
+  controllermanager:
+    bins:
+      - containerd
+
+  etcd:
+    bins:
+      - containerd
+
+  node:
+    components:
+      - kubelet
+      - proxy
+
+    kubelet:
+      bins:
+        - containerd
+      defaultkubeconfig: /var/lib/rancher/k3s/agent/kubelet.kubeconfig
+      defaultcafile: /var/lib/rancher/k3s/agent/client-ca.crt
+
+    proxy:
+      bins:
+        - containerd
+      defaultkubeconfig: /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig
+
+  policies:
+    components:
+      - policies
--- a/cmd/util.go
+++ b/cmd/util.go
@ -14,9 +14,9 @@ import (
 	"github.com/aquasecurity/kube-bench/check"
 	"github.com/fatih/color"
 	"github.com/golang/glog"
-	"github.com/rancher/kubernetes-provider-detector/providers"
 	"github.com/spf13/viper"

+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 )
@ -305,8 +305,9 @@ func getKubeVersion() (*KubeVersion, error) {
 		if err != nil {
 			glog.V(3).Infof("Failed to fetch k8sClient object from kube config : %s", err)
 		}
+
 		if err == nil {
-			isRKE, err = providers.IsRKE(context.Background(), k8sClient)
+			isRKE, err = IsRKE(context.Background(), k8sClient)
 			if err != nil {
 				glog.V(3).Infof("Error detecting RKE cluster: %s", err)
 			}
@ -588,3 +589,37 @@ func getOcpValidVersion(ocpVer string) (string, error) {
 	glog.V(1).Info(fmt.Sprintf("getOcpBenchmarkVersion unable to find a match for: %q", ocpOriginal))
 	return "", fmt.Errorf("unable to find a matching Benchmark Version match for ocp version: %s", ocpOriginal)
 }
+
+// IsRKE Identifies if the cluster belongs to Rancher Distribution RKE
+func IsRKE(ctx context.Context, k8sClient kubernetes.Interface) (bool, error) {
+	// if there are windows nodes then this should not be counted as rke.linux
+	windowsNodes, err := k8sClient.CoreV1().Nodes().List(ctx, metav1.ListOptions{
+		Limit:         1,
+		LabelSelector: "kubernetes.io/os=windows",
+	})
+	if err != nil {
+		return false, err
+	}
+	if len(windowsNodes.Items) != 0 {
+		return false, nil
+	}
+
+	// Any node created by RKE should have the annotation, so just grab 1
+	nodes, err := k8sClient.CoreV1().Nodes().List(ctx, metav1.ListOptions{Limit: 1})
+	if err != nil {
+		return false, err
+	}
+
+	if len(nodes.Items) == 0 {
+		return false, nil
+	}
+
+	annos := nodes.Items[0].Annotations
+	if _, ok := annos["rke.cattle.io/external-ip"]; ok {
+		return true, nil
+	}
+	if _, ok := annos["rke.cattle.io/internal-ip"]; ok {
+		return true, nil
+	}
+	return false, nil
+}