1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-23 15:18:07 +00:00
Commit Graph

154 Commits

Author SHA1 Message Date
Liz Rice
9246be924d
Merge branch 'master' into features/autodetect-nodetype 2019-03-13 20:36:19 -07:00
Cyril Tovena
5baf81a70a Adds master node detection and a root command that automatically detect checks to run.
The root command will run node checks and if possible master checks.
I've also added some Makefile targets to improve local testing and improve the documentation.
2019-03-12 19:32:05 -04:00
Abubakr-Sadik Nii Nai Davis
a88b0703d8 Add kubeconfig variable substitution for kubelet and proxy.
There are checks for the kubeconfig for both kubelet and proxy which
the current kube-bench implementation does not check for properly.
kube-bench checks the wrong files.

This PR adds support for variable substitution for all the config file
types are that should be checked in the CIS benchmarks.

This PR also fixes a buggy in CIS 1.3.0 check 2.2.9, which checks for
ownership of the kubelet config file /var/lib/kubelet/config.yaml but
recommends changing ownership of kubelet kubeconfig file
/etc/kubernetes/kubelet.conf as remediation.
2019-02-27 22:15:14 +00:00
nshauli
e93bfc1aac search for the kubelet binary when it is not in the path 2019-02-19 16:38:10 +02:00
Liz Rice
7626dc2705
Merge branch 'master' into bugfix-log-warnings-instead-of-print 2019-02-19 13:44:23 +00:00
Yoav Hizkiahou
082e9cf7e9 Bugfix: Logging warning instead of printing
Made all the warnings to be logged and not printed, so when using the json flag the output will be only in json format.

fix #217
2019-02-19 14:39:55 +02:00
Abubakr-Sadik Nii Nai Davis
911e9051dc Merge remote-tracking branch 'origin/master' into ocp-configs 2019-02-15 19:48:53 +00:00
Abubakr-Sadik Nii Nai Davis
e899e941f7 Add OCP 3.10 benchmarks. 2019-02-15 19:44:39 +00:00
Weston Steimel
42ed8628de Only get runningVersion if --version has not been provided
Signed-off-by: Weston Steimel <weston.steimel@gmail.com>
2019-02-15 19:43:13 +00:00
Yoav Hizkiahou
49f745af8e Support new check type - skip:
If a check is marked with type "skip", it will be marked as Info.

Support scored property:
If a check is not scored and is not marked with type skip, it will be marked as Warn.
2019-01-29 19:05:12 +02:00
Weston Steimel
42f4152058
Only get runningVersion if --version has not been provided
Signed-off-by: Weston Steimel <weston.steimel@gmail.com>
2019-01-24 00:34:09 +00:00
Abubakr-Sadik Nii Nai Davis
ed21839464 Add getServiceFiles function.
The CIS benchmark check for node checks 2 config files for kubelet:
  - kubelet config file (kubelet.conf)
  - kubelet systemd unitfile (10-kubeadm.conf)

The getServiceFiles function gets candidates for kubelet systemd
unitfile and returns valid untifiles.
2018-10-23 02:26:38 +00:00
bvwells
cc43fcbb7e Add link to CIS kubernetes benchmark 2018-08-10 20:55:02 +01:00
Liz Rice
ccc2b6c9ae Shouldn't need kubelet or kubectl if version specified 2018-07-26 12:03:09 +01:00
Liz Rice
9d0141871a Use new utility function for finding correct config files.
Improve order of message output
Remove unnecessary local variable
2018-06-29 12:20:29 +01:00
Liz Rice
344d2bfd24 Utility for getting the right config file for the Kubernetes version 2018-06-29 12:19:34 +01:00
Liz Rice
ecd14ed682 File substitutions should be a detailed log 2018-06-29 12:19:00 +01:00
Liz Rice
223ac14642 Don't override version specified on command line 2018-06-29 10:35:44 +01:00
Abubakr-Sadik Nii Nai Davis
6d237607fb Fix typo in help text. 2018-05-15 04:50:39 +00:00
Abubakr-Sadik Nii Nai Davis
5da707b8d6 Remove CIS benchmark version in tool title.
it has grown stale and is dependent on k8s version we are checking.
2018-05-15 04:23:39 +00:00
Jeppe Fihl-Pearson
39d94df81b Add tip about the --version flag to error output
If people are trying to use the Docker image to check their cluster, there's a
big likelyhood of them hitting the error message saying that either `kubectl`
or `kubelet` need to be found in order for `kube-bench` to be able to determine
the Kubernetes version in use.

This adds a tip that the version can be specified manually with the `--version`
flag which is a lot easier than having to make a new Docker image with the
right version of `kubelet`/`kubectl` in order for `kube-bench` to work.
2018-05-11 18:58:24 +01:00
Liz Rice
0b4872104d
Merge branch 'master' into feature/issue-107 2018-04-16 17:15:30 +01:00
Will Medlar
9469b1c124 Allow kubernetes version and config directory to be specified (resolves #107) 2018-04-12 15:01:58 -04:00
Abubakr-Sadik Nii Nai Davis
ade064006e Add extra output manipulation flags, --noremediations, --nosummary and
--noresults.

These flags disable printing sections of the final output of kube-bench.
2018-04-10 20:01:47 +00:00
Liz Rice
728cb0765f Use 1.8 tests for k8s 1.9 and 1.10 2018-04-04 10:49:05 +01:00
Philippe ALEXANDRE
f091c8adea Remove the old lines of fmt.Sprintf in cmd/common.go 2018-03-27 15:33:01 +02:00
Philippe ALEXANDRE
d6c16f7563 Try to use kubelet when kubectl is unavailable 2018-03-23 09:29:17 +01:00
Philippe ALEXANDRE
c86d0ff81b Replace fmt.Sprintf by filepath.Join 2018-03-23 09:27:48 +01:00
Liz Rice
58b6358a02
Merge branch 'master' into u/jaxxstorm/golint 2018-01-30 19:46:44 +00:00
Lee Briggs
94a1f3c41f
Lint all code for golint tests 2018-01-11 10:01:58 -08:00
Abubakr-Sadik Nii Nai Davis
64aaef7997 Fixed expected return for getKubeVersion. 2017-11-28 17:47:57 +00:00
Abubakr-Sadik Nii Nai Davis
53eb720952 Merge branch 'master' into unnecessary-warning 2017-11-28 17:44:53 +00:00
Abubakr-Sadik Nii Nai Davis
04f044e3b9 Add support for merging general and kubernetes version specific config files.
This change unifies all config files, podspecs and unitfiles under
a single component configuration key; `config`.
2017-11-28 17:38:34 +00:00
Liz Rice
97485419e2 Can't run kubectl on Travis so I don't know how this test ever worked 2017-11-21 13:21:47 +00:00
Liz Rice
730871f330 Fix kubeVersion regex tests 2017-11-21 13:19:09 +00:00
Abubakr-Sadik Nii Nai Davis
c93c94b3f6 Fix version check regexp. 2017-11-21 12:20:02 +00:00
Abubakr-Sadik Nii Nai Davis
c60c459bc4 Fix bug causing kubectl version to always return default version. 2017-11-14 22:27:55 +00:00
Abubakr-Sadik Nii Nai Davis
42a1068964 Add default version if version check fails. 2017-11-13 15:25:34 +00:00
Abubakr-Sadik Nii Nai Davis
f90dd925b8 Exit kube-bench if we can't get valid kubernetes server version and
improve error messages.
2017-11-03 13:11:10 +00:00
Abubakr-Sadik Nii Nai Davis
31b5910a7f Remove unnecessary warnings about missing config files. 2017-11-03 10:41:01 +00:00
Steven Logue
909e6cc874 created database.go file and moved DB function into it 2017-11-01 10:15:31 -07:00
Liz Rice
1faeb55b67
Merge branch 'master' into master 2017-11-01 14:46:48 +00:00
Steven Logue
d79a2a5478 added support for saving scan results to pgsql 2017-10-31 13:08:46 -07:00
Abubakr-Sadik Nii Nai Davis
3dcc38d5c8 Fix issue with util test. 2017-10-24 12:45:38 +00:00
Abubakr-Sadik Nii Nai Davis
592dc81974 Remove unused variables. 2017-10-24 12:02:22 +00:00
Abubakr-Sadik Nii Nai Davis
cec1d9d6b3 Combine config reading functions into single function. 2017-10-24 12:01:02 +00:00
Abubakr-Sadik Nii Nai Davis
e227934c88 Add function to get unit files for kubernetes components. 2017-10-15 13:20:01 +00:00
Abubakr-Sadik Nii Nai Davis
6ce0c5bf60 Add function to get pod specs for kubernetes components. 2017-10-15 13:19:57 +00:00
Abubakr-Sadik Nii Nai Davis
018ad12a64 Log benchmark definition file at verbosity level 1. 2017-09-26 23:33:47 +00:00
Abubakr-Sadik Nii Nai Davis
73a37a0c16 Delete tests for verifyKubeVersion and support functions. 2017-09-26 23:24:44 +00:00
Abubakr-Sadik Nii Nai Davis
88a003090f Delete verifyKubeVersion support functions. 2017-09-26 23:23:34 +00:00
Abubakr-Sadik Nii Nai Davis
a95d083049 Remove call to verifyKubeVersion.
This functionality is fulfilled by getKubeVersion.
2017-09-26 23:20:28 +00:00
Abubakr-Sadik Nii Nai Davis
d9e1eee2cd Merge remote-tracking branch 'origin/master' into support for multiple
Kubernetes versions.
2017-09-20 00:39:30 +00:00
Abubakr-Sadik Nii Nai Davis
56fa20103a Add function to retrieve Kubernetes server version.
The server version is used to load the correct benchmark check
to run against the Kubernetes cluster.
2017-09-17 19:49:13 +00:00
Liz Rice
c4be4a1240 Remove installation flag and some other unused variables 2017-08-31 17:52:21 +01:00
Liz Rice
de12829923 Correct test to cope with multi-line ps output 2017-08-31 17:43:07 +01:00
Liz Rice
e4a89123e0 Move message about which config file we’re using into a log at the start 2017-08-31 17:38:11 +01:00
Liz Rice
8380ad1ef3 Better detection of running executables 2017-08-31 16:01:31 +01:00
Liz Rice
d637d8714a Fix and add tests 2017-08-31 15:22:30 +01:00
Liz Rice
a3197f8efe Reorder YAML to make a bit more sense. Allow for optional components, and a config file that we don’t think exists. 2017-08-31 14:45:16 +01:00
Liz Rice
e4b905e360 Log when there’s no substitution 2017-08-31 14:43:59 +01:00
Liz Rice
f5550fd8bd Node type is now verified by looking for running binaries from a set of options 2017-08-31 14:43:35 +01:00
Liz Rice
6a5a62b278 Autodetect the binaries and config files from a set of options 2017-08-30 18:37:01 +01:00
Liz Rice
f5cef922cc Functions and tests for finding binaries and config files 2017-08-30 18:01:53 +01:00
Liz Rice
7600dd9dd6 Make the ps / fakeps function global so we don’t have to pass it around so much 2017-08-30 17:51:28 +01:00
Liz Rice
0bc00e0036 Slightly more robust looking for running executables 2017-08-30 17:48:12 +01:00
Liz Rice
9114e139cf Function to find which of a set of executables is running 2017-08-30 12:07:46 +01:00
Liz Rice
6b9f117f87 Allow for multiple words in executable names 2017-08-15 17:00:35 +01:00
Liz Rice
34f8b8e980 Simplify verifying binaries and config files 2017-08-15 16:44:40 +01:00
Liz Rice
86d49b1b1a We don’t care whether the binaries are in our path or not, just whether they are running 2017-08-15 16:01:27 +01:00
Liz Rice
96c469669c Use kubectl to check the kubernetes version 2017-08-11 17:59:57 +01:00
Liz Rice
2b4047a3c1 Merge pull request #28 from ttousai/errorhandling
Improve error handling.
2017-08-07 10:06:32 +01:00
Abubakr-Sadik Nii Nai Davis
7bb66dd2da Rename warning printing functions.
printlnWarn: prints warning with a newline.
sprintWarn: returns an optionally contextualized warning string.
2017-08-06 16:59:03 +00:00
Abubakr-Sadik Nii Nai Davis
82c92e0078 Change function name to be clearer about the fact it returns a string. 2017-08-06 14:25:02 +00:00
Abubakr-Sadik Nii Nai Davis
f88de572f6 Improve error handling. 2017-07-25 00:34:07 +00:00
Abubakr-Sadik Nii Nai Davis
e08e069174 Update controls to CIS Kubernetes Benchmark v1.1.0 2017-07-24 17:30:13 +00:00
Abubakr-Sadik Nii Nai Davis
f589fd58e1 Add few modifications. 2017-07-13 01:01:18 +00:00
Abubakr-Sadik Nii Nai Davis
3d395994b0 Change environment variable prefix. 2017-07-13 00:24:57 +00:00
Abubakr-Sadik Nii Nai Davis
609c4ff01c Move kubernetes binaries and config paths to kube-bench config. 2017-07-13 00:24:09 +00:00
Abubakr-Sadik Nii Nai Davis
2ee99eca64 Add support for various installation modes, hyperkube, kubeadm and kops.
Issue #17.
2017-07-10 00:15:27 +00:00
Abubakr-Sadik Nii Nai Davis
bd53529387 Fix issue #16 about supporting verbosity. 2017-07-07 17:01:30 +00:00
Abubakr-Sadik Nii Nai Davis
06466d6573 Fix issue with kubernetes version check, where the master binary is
used for all modes including nodes and federated.
2017-07-06 18:31:18 +00:00
Abubakr-Sadik Nii Nai Davis
dbbafd54a5 Do not exit on command exit, print error message to stderr and continue. 2017-07-05 12:56:01 +00:00
Abubakr-Sadik Nii Nai Davis
6ee9bedfb8 Print verification warnings at only one point. 2017-07-04 16:53:39 +00:00
Abubakr-Sadik Nii Nai Davis
2119d119b0 Restore warning messages and dont quit on verification error. 2017-07-04 15:38:34 +00:00
Abubakr-Sadik Nii Nai Davis
d0d9900b29 Resolve issue #7 wait: error running audit command exit status 1.
This is caused by a command in the audit pipeline (for example
ps -ef | grep kube-apiserver) failing. The causes of this failure
in my testing is usually a missing config file.

Extensive refactor and correction in verification code to check for
config files and binaries.

Replace joncalhoun/pipes with implementation using exec.Cmds so errors
are visible and can be handled when audit pipeline commands fail.

Change some audit commands
from: ps -ef | grep <cmd> | grep -v
to:   ps -C <something> -o comm,args --no-headers

which is simpler to work with.
2017-06-30 14:19:38 +00:00
Liz Rice
b4237ccb73 Better error handling when reading YAML files 2017-06-23 12:04:46 +01:00
Liz Rice
07750ea43a Don't output message about config file if output format is JSON 2017-06-23 10:48:49 +01:00
Liz Rice
6340ee44c5 Don’t output warnings as text if we’re generating JSON output. Add error handling in a few missing cases. Some comment tidying. 2017-06-23 10:41:40 +01:00
Liz Rice
f6509b804e Typo 2017-06-23 10:28:58 +01:00
Liz Rice
b36832e40c Correct block-copy error in flanneld config directory 2017-06-23 09:58:46 +01:00
Liz Rice
1be52fb304 Add missing error output if JSON output can't be emitted 2017-06-23 09:40:53 +01:00
Liz Rice
0d6d3a03ef Allow config file to be specified on the command line 2017-06-22 15:34:21 +01:00
Liz Rice
96364e3f29 Error if the config file can’t be found 2017-06-22 15:34:01 +01:00
Liz Rice
c07a8e2c81 Minor language improvement 2017-06-22 15:19:57 +01:00
jerbia
432651e85f Added test 1.4.11 (#8) 2017-06-21 22:45:50 +03:00
Liz Rice
c3d67e0fee Use colorPrint for config file info too 2017-06-20 11:10:11 +01:00
Liz Rice
b7a92799b9 Blue for info messages 2017-06-20 11:09:44 +01:00
Liz Rice
800c18ccf3 colorPrint for the output
Use the same format output for warnings even if they aren’t related to
a specific test ID
2017-06-20 09:54:17 +01:00
Liz Rice
dcd416a521 Executable name changes
Updates to travis file, readme and help text
2017-06-20 09:52:53 +01:00