1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-30 02:18:07 +00:00
Commit Graph

756 Commits

Author SHA1 Message Date
Cyril Tovena
5baf81a70a Adds master node detection and a root command that automatically detect checks to run.
The root command will run node checks and if possible master checks.
I've also added some Makefile targets to improve local testing and improve the documentation.
2019-03-12 19:32:05 -04:00
Liz Rice
c4c0d911d4
Merge pull request #237 from aquasecurity/openshift
Update openshift executable config
2019-03-07 14:53:22 +00:00
Liz Rice
9b3628e76a
Update openshift executable config for #236 2019-03-07 11:18:06 +00:00
Liz Rice
8745df170a
Merge pull request #233 from aquasecurity/clean-ocp-configs
Clean up OCP benchmark config.
2019-03-07 09:30:18 +00:00
Liz Rice
1ead9e1d71
Merge branch 'master' into clean-ocp-configs 2019-03-07 09:22:47 +00:00
Liz Rice
772d2e26b4
Merge pull request #226 from aquasecurity/add-new-cfg-version1.4
add new config files from the new CIS Kubernetes Benchmark
2019-03-06 13:35:17 +00:00
Abubakr-Sadik Nii Nai Davis
53ed68a0b2 Clean up OCP benchmark config.
The OCP benchmarks uses configs for only binary component variable names.
This commit cleans up the OCP config by removing all configuration
except those component binaries required to run kube-bench on OCP
installations and adds missing ones.
2019-03-06 12:02:58 +00:00
yoavrotems
c6102f0a1b
Fix the files
Fix the start from 1.11 to 1.13 and adding changes from pull #227, and pull #228.
2019-03-06 11:26:36 +00:00
yoavrotems
e534392525
Delete node.yaml
replace with the new node.yaml file
2019-03-06 13:24:14 +02:00
yoavrotems
5f09ecef44
Delete master.yaml
replace with the new master.yaml file
2019-03-06 13:23:49 +02:00
yoavrotems
a7d9e06c1b
Delete config.yaml
replace with the new config.yaml file
2019-03-06 13:23:18 +02:00
yoavrotems
50f22e7f13
Merge branch 'master' into add-new-cfg-version1.4 2019-03-06 11:16:36 +00:00
Liz Rice
2d4019aabe
Merge pull request #228 from aquasecurity/fix-208
Fix issues with checks for kubelet configuration files
2019-03-03 11:10:05 +00:00
Liz Rice
dd8e7ec874
Merge branch 'master' into fix-208 2019-03-03 09:45:16 +00:00
Abubakr-Sadik Nii Nai Davis
d255b49d4b Revert 1.8 config file. 2019-03-02 17:20:46 +00:00
Liz Rice
0a58805cdb
Merge pull request #227 from aquasecurity/fix-false-detections
Only find flags on the process we really want
2019-02-28 10:48:23 +08:00
Liz Rice
c18d8a2234
Merge branch 'master' into fix-false-detections 2019-02-28 10:38:41 +08:00
Abubakr-Sadik Nii Nai Davis
a88b0703d8 Add kubeconfig variable substitution for kubelet and proxy.
There are checks for the kubeconfig for both kubelet and proxy which
the current kube-bench implementation does not check for properly.
kube-bench checks the wrong files.

This PR adds support for variable substitution for all the config file
types are that should be checked in the CIS benchmarks.

This PR also fixes a buggy in CIS 1.3.0 check 2.2.9, which checks for
ownership of the kubelet config file /var/lib/kubelet/config.yaml but
recommends changing ownership of kubelet kubeconfig file
/etc/kubernetes/kubelet.conf as remediation.
2019-02-27 22:15:14 +00:00
Abubakr-Sadik Nii Nai Davis
3f98c1def2 Fix wrong reference to kubelet.config in node checks.
This fix applies to only checks for kubernetes versions 1.8 and 1.11.
See https://github.com/aquasecurity/kube-bench/pull/208.
2019-02-27 22:14:19 +00:00
Liz Rice
d712db47a2
Only find flags on the process we really want 2019-02-28 01:33:21 +08:00
yoavrotems
82150fdc63
add new config files from the new CIS Kubernetes Benchmark
there is a new update at CIS_Kubernetes_Benchmark_v1.4.0 for Kubernetes 1.13
2019-02-27 10:39:32 +00:00
Liz Rice
c824daeb15
Merge pull request #222 from nshauli/search_for_kubelet_binary_when_not_in_path
search for the kubelet binary when it is not in the path
2019-02-19 16:07:20 +00:00
nshauli
e93bfc1aac search for the kubelet binary when it is not in the path 2019-02-19 16:38:10 +02:00
Liz Rice
da09e6513a
Merge pull request #218 from yoavAqua/bugfix-log-warnings-instead-of-print
Bugfix: Logging warning instead of printing
2019-02-19 13:48:30 +00:00
Liz Rice
7626dc2705
Merge branch 'master' into bugfix-log-warnings-instead-of-print 2019-02-19 13:44:23 +00:00
Yoav Hizkiahou
082e9cf7e9 Bugfix: Logging warning instead of printing
Made all the warnings to be logged and not printed, so when using the json flag the output will be only in json format.

fix #217
2019-02-19 14:39:55 +02:00
Liz Rice
2d4c7e8b42
Merge pull request #212 from aquasecurity/ocp-configs
OCP benchmarks and configs
2019-02-18 09:31:45 +00:00
Liz Rice
cd231106cc
Improve comment
Tests could easily be marked "skip" because the user doesn't want to run them in their environment, and in this common case the set of tests will be non-nil
2019-02-18 08:46:26 +00:00
Liz Rice
db962a0ad9
Fix merge of skip check 2019-02-18 08:40:57 +00:00
Abubakr-Sadik Nii Nai Davis
911e9051dc Merge remote-tracking branch 'origin/master' into ocp-configs 2019-02-15 19:48:53 +00:00
Abubakr-Sadik Nii Nai Davis
e899e941f7 Add OCP 3.10 benchmarks. 2019-02-15 19:44:39 +00:00
Weston Steimel
42ed8628de Only get runningVersion if --version has not been provided
Signed-off-by: Weston Steimel <weston.steimel@gmail.com>
2019-02-15 19:43:13 +00:00
Liz Rice
dc8dcfbf8c
Merge pull request #211 from yoavAqua/support-skip-flag
Type skip and not scored checks
2019-01-29 23:14:05 +02:00
Yoav Hizkiahou
49f745af8e Support new check type - skip:
If a check is marked with type "skip", it will be marked as Info.

Support scored property:
If a check is not scored and is not marked with type skip, it will be marked as Warn.
2019-01-29 19:05:12 +02:00
Liz Rice
ba437d500a
Merge pull request #206 from westonsteimel/no_runningversion_if_version_set
Only get runningVersion if --version has not been provided
2019-01-24 12:00:59 +01:00
Weston Steimel
42f4152058
Only get runningVersion if --version has not been provided
Signed-off-by: Weston Steimel <weston.steimel@gmail.com>
2019-01-24 00:34:09 +00:00
Liz Rice
8dabb7dc37
Merge pull request #201 from aquasecurity/yam-comment
Comment why we mount /usr/bin
2019-01-22 09:49:25 +01:00
Liz Rice
f2062e81a1
Comment why /usr/bin is mounted 2019-01-17 11:36:25 +00:00
Liz Rice
528bcfbffe
Update job-node.yaml 2019-01-17 11:34:26 +00:00
Liz Rice
3422b9102f
Add comment for why /usr/bin is mounted 2019-01-17 11:33:35 +00:00
Liz Rice
86b126ad2b Create NOTICE (#199)
* Create NOTICE

* Update NOTICE
2019-01-16 10:53:07 +02:00
Liz Rice
827945f7fb
Merge pull request #200 from spuder/patch-1
warn osx limitation
2019-01-15 11:11:57 +00:00
Liz Rice
79427e185e
Merge branch 'master' into patch-1 2019-01-15 11:05:27 +00:00
Liz Rice
6b9ceae9d4
True for Windows too 2019-01-15 11:05:04 +00:00
Liz Rice
fbd6eb8ff5
Merge pull request #198 from aquasecurity/mount-volumes
For #197 - create job YAML files that mount host volumes as needed
2019-01-15 11:03:06 +00:00
Spencer Owen
2a9a02f25b
warn osx limitation 2019-01-14 10:41:19 -07:00
Liz Rice
8021610e46
For #197 - create job YAML files that mount host volumes as needed 2019-01-11 18:44:13 +00:00
Liz Rice
2eef3e8ad2
Merge pull request #193 from maxbischoff/patch-1
Changed 1.1.14 to not fail when flag is not set
2019-01-09 10:21:27 +00:00
Maximilian Bischoff
791fbba9e7
Changed 1.1.14 to not fail when flag is not set
Added another test item that checks whether --disable-admission-plugins is not set and an "or" bin_op. 
This causes check 1.1.14 to be successful when the flag is not set, while still failing when the flag is set and includes the value NamespaceLifecycle
2019-01-08 13:58:41 +01:00
Liz Rice
f6cab11357
Merge pull request #187 from martinmosegaard/doc-kubectl-host-pid
Document limitation of running with kubectl
2019-01-02 11:05:32 +00:00