Liz Rice
9246be924d
Merge branch 'master' into features/autodetect-nodetype
2019-03-13 20:36:19 -07:00
Cyril Tovena
5baf81a70a
Adds master node detection and a root command that automatically detect checks to run.
...
The root command will run node checks and if possible master checks.
I've also added some Makefile targets to improve local testing and improve the documentation.
2019-03-12 19:32:05 -04:00
Abubakr-Sadik Nii Nai Davis
a88b0703d8
Add kubeconfig variable substitution for kubelet and proxy.
...
There are checks for the kubeconfig for both kubelet and proxy which
the current kube-bench implementation does not check for properly.
kube-bench checks the wrong files.
This PR adds support for variable substitution for all the config file
types are that should be checked in the CIS benchmarks.
This PR also fixes a buggy in CIS 1.3.0 check 2.2.9, which checks for
ownership of the kubelet config file /var/lib/kubelet/config.yaml but
recommends changing ownership of kubelet kubeconfig file
/etc/kubernetes/kubelet.conf as remediation.
2019-02-27 22:15:14 +00:00
nshauli
e93bfc1aac
search for the kubelet binary when it is not in the path
2019-02-19 16:38:10 +02:00
Liz Rice
7626dc2705
Merge branch 'master' into bugfix-log-warnings-instead-of-print
2019-02-19 13:44:23 +00:00
Yoav Hizkiahou
082e9cf7e9
Bugfix: Logging warning instead of printing
...
Made all the warnings to be logged and not printed, so when using the json flag the output will be only in json format.
fix #217
2019-02-19 14:39:55 +02:00
Abubakr-Sadik Nii Nai Davis
911e9051dc
Merge remote-tracking branch 'origin/master' into ocp-configs
2019-02-15 19:48:53 +00:00
Abubakr-Sadik Nii Nai Davis
e899e941f7
Add OCP 3.10 benchmarks.
2019-02-15 19:44:39 +00:00
Weston Steimel
42ed8628de
Only get runningVersion if --version has not been provided
...
Signed-off-by: Weston Steimel <weston.steimel@gmail.com>
2019-02-15 19:43:13 +00:00
Yoav Hizkiahou
49f745af8e
Support new check type - skip:
...
If a check is marked with type "skip", it will be marked as Info.
Support scored property:
If a check is not scored and is not marked with type skip, it will be marked as Warn.
2019-01-29 19:05:12 +02:00
Weston Steimel
42f4152058
Only get runningVersion if --version has not been provided
...
Signed-off-by: Weston Steimel <weston.steimel@gmail.com>
2019-01-24 00:34:09 +00:00
Abubakr-Sadik Nii Nai Davis
ed21839464
Add getServiceFiles function.
...
The CIS benchmark check for node checks 2 config files for kubelet:
- kubelet config file (kubelet.conf)
- kubelet systemd unitfile (10-kubeadm.conf)
The getServiceFiles function gets candidates for kubelet systemd
unitfile and returns valid untifiles.
2018-10-23 02:26:38 +00:00
bvwells
cc43fcbb7e
Add link to CIS kubernetes benchmark
2018-08-10 20:55:02 +01:00
Liz Rice
ccc2b6c9ae
Shouldn't need kubelet or kubectl if version specified
2018-07-26 12:03:09 +01:00
Liz Rice
9d0141871a
Use new utility function for finding correct config files.
...
Improve order of message output
Remove unnecessary local variable
2018-06-29 12:20:29 +01:00
Liz Rice
344d2bfd24
Utility for getting the right config file for the Kubernetes version
2018-06-29 12:19:34 +01:00
Liz Rice
ecd14ed682
File substitutions should be a detailed log
2018-06-29 12:19:00 +01:00
Liz Rice
223ac14642
Don't override version specified on command line
2018-06-29 10:35:44 +01:00
Abubakr-Sadik Nii Nai Davis
6d237607fb
Fix typo in help text.
2018-05-15 04:50:39 +00:00
Abubakr-Sadik Nii Nai Davis
5da707b8d6
Remove CIS benchmark version in tool title.
...
it has grown stale and is dependent on k8s version we are checking.
2018-05-15 04:23:39 +00:00
Jeppe Fihl-Pearson
39d94df81b
Add tip about the --version
flag to error output
...
If people are trying to use the Docker image to check their cluster, there's a
big likelyhood of them hitting the error message saying that either `kubectl`
or `kubelet` need to be found in order for `kube-bench` to be able to determine
the Kubernetes version in use.
This adds a tip that the version can be specified manually with the `--version`
flag which is a lot easier than having to make a new Docker image with the
right version of `kubelet`/`kubectl` in order for `kube-bench` to work.
2018-05-11 18:58:24 +01:00
Liz Rice
0b4872104d
Merge branch 'master' into feature/issue-107
2018-04-16 17:15:30 +01:00
Will Medlar
9469b1c124
Allow kubernetes version and config directory to be specified ( resolves #107 )
2018-04-12 15:01:58 -04:00
Abubakr-Sadik Nii Nai Davis
ade064006e
Add extra output manipulation flags, --noremediations, --nosummary and
...
--noresults.
These flags disable printing sections of the final output of kube-bench.
2018-04-10 20:01:47 +00:00
Liz Rice
728cb0765f
Use 1.8 tests for k8s 1.9 and 1.10
2018-04-04 10:49:05 +01:00
Philippe ALEXANDRE
f091c8adea
Remove the old lines of fmt.Sprintf in cmd/common.go
2018-03-27 15:33:01 +02:00
Philippe ALEXANDRE
d6c16f7563
Try to use kubelet when kubectl is unavailable
2018-03-23 09:29:17 +01:00
Philippe ALEXANDRE
c86d0ff81b
Replace fmt.Sprintf by filepath.Join
2018-03-23 09:27:48 +01:00
Liz Rice
58b6358a02
Merge branch 'master' into u/jaxxstorm/golint
2018-01-30 19:46:44 +00:00
Lee Briggs
94a1f3c41f
Lint all code for golint tests
2018-01-11 10:01:58 -08:00
Abubakr-Sadik Nii Nai Davis
64aaef7997
Fixed expected return for getKubeVersion.
2017-11-28 17:47:57 +00:00
Abubakr-Sadik Nii Nai Davis
53eb720952
Merge branch 'master' into unnecessary-warning
2017-11-28 17:44:53 +00:00
Abubakr-Sadik Nii Nai Davis
04f044e3b9
Add support for merging general and kubernetes version specific config files.
...
This change unifies all config files, podspecs and unitfiles under
a single component configuration key; `config`.
2017-11-28 17:38:34 +00:00
Liz Rice
97485419e2
Can't run kubectl on Travis so I don't know how this test ever worked
2017-11-21 13:21:47 +00:00
Liz Rice
730871f330
Fix kubeVersion regex tests
2017-11-21 13:19:09 +00:00
Abubakr-Sadik Nii Nai Davis
c93c94b3f6
Fix version check regexp.
2017-11-21 12:20:02 +00:00
Abubakr-Sadik Nii Nai Davis
c60c459bc4
Fix bug causing kubectl version to always return default version.
2017-11-14 22:27:55 +00:00
Abubakr-Sadik Nii Nai Davis
42a1068964
Add default version if version check fails.
2017-11-13 15:25:34 +00:00
Abubakr-Sadik Nii Nai Davis
f90dd925b8
Exit kube-bench if we can't get valid kubernetes server version and
...
improve error messages.
2017-11-03 13:11:10 +00:00
Abubakr-Sadik Nii Nai Davis
31b5910a7f
Remove unnecessary warnings about missing config files.
2017-11-03 10:41:01 +00:00
Steven Logue
909e6cc874
created database.go file and moved DB function into it
2017-11-01 10:15:31 -07:00
Liz Rice
1faeb55b67
Merge branch 'master' into master
2017-11-01 14:46:48 +00:00
Steven Logue
d79a2a5478
added support for saving scan results to pgsql
2017-10-31 13:08:46 -07:00
Abubakr-Sadik Nii Nai Davis
3dcc38d5c8
Fix issue with util test.
2017-10-24 12:45:38 +00:00
Abubakr-Sadik Nii Nai Davis
592dc81974
Remove unused variables.
2017-10-24 12:02:22 +00:00
Abubakr-Sadik Nii Nai Davis
cec1d9d6b3
Combine config reading functions into single function.
2017-10-24 12:01:02 +00:00
Abubakr-Sadik Nii Nai Davis
e227934c88
Add function to get unit files for kubernetes components.
2017-10-15 13:20:01 +00:00
Abubakr-Sadik Nii Nai Davis
6ce0c5bf60
Add function to get pod specs for kubernetes components.
2017-10-15 13:19:57 +00:00
Abubakr-Sadik Nii Nai Davis
018ad12a64
Log benchmark definition file at verbosity level 1.
2017-09-26 23:33:47 +00:00
Abubakr-Sadik Nii Nai Davis
73a37a0c16
Delete tests for verifyKubeVersion and support functions.
2017-09-26 23:24:44 +00:00
Abubakr-Sadik Nii Nai Davis
88a003090f
Delete verifyKubeVersion support functions.
2017-09-26 23:23:34 +00:00
Abubakr-Sadik Nii Nai Davis
a95d083049
Remove call to verifyKubeVersion.
...
This functionality is fulfilled by getKubeVersion.
2017-09-26 23:20:28 +00:00
Abubakr-Sadik Nii Nai Davis
d9e1eee2cd
Merge remote-tracking branch 'origin/master' into support for multiple
...
Kubernetes versions.
2017-09-20 00:39:30 +00:00
Abubakr-Sadik Nii Nai Davis
56fa20103a
Add function to retrieve Kubernetes server version.
...
The server version is used to load the correct benchmark check
to run against the Kubernetes cluster.
2017-09-17 19:49:13 +00:00
Liz Rice
c4be4a1240
Remove installation flag and some other unused variables
2017-08-31 17:52:21 +01:00
Liz Rice
de12829923
Correct test to cope with multi-line ps output
2017-08-31 17:43:07 +01:00
Liz Rice
e4a89123e0
Move message about which config file we’re using into a log at the start
2017-08-31 17:38:11 +01:00
Liz Rice
8380ad1ef3
Better detection of running executables
2017-08-31 16:01:31 +01:00
Liz Rice
d637d8714a
Fix and add tests
2017-08-31 15:22:30 +01:00
Liz Rice
a3197f8efe
Reorder YAML to make a bit more sense. Allow for optional components, and a config file that we don’t think exists.
2017-08-31 14:45:16 +01:00
Liz Rice
e4b905e360
Log when there’s no substitution
2017-08-31 14:43:59 +01:00
Liz Rice
f5550fd8bd
Node type is now verified by looking for running binaries from a set of options
2017-08-31 14:43:35 +01:00
Liz Rice
6a5a62b278
Autodetect the binaries and config files from a set of options
2017-08-30 18:37:01 +01:00
Liz Rice
f5cef922cc
Functions and tests for finding binaries and config files
2017-08-30 18:01:53 +01:00
Liz Rice
7600dd9dd6
Make the ps / fakeps function global so we don’t have to pass it around so much
2017-08-30 17:51:28 +01:00
Liz Rice
0bc00e0036
Slightly more robust looking for running executables
2017-08-30 17:48:12 +01:00
Liz Rice
9114e139cf
Function to find which of a set of executables is running
2017-08-30 12:07:46 +01:00
Liz Rice
6b9f117f87
Allow for multiple words in executable names
2017-08-15 17:00:35 +01:00
Liz Rice
34f8b8e980
Simplify verifying binaries and config files
2017-08-15 16:44:40 +01:00
Liz Rice
86d49b1b1a
We don’t care whether the binaries are in our path or not, just whether they are running
2017-08-15 16:01:27 +01:00
Liz Rice
96c469669c
Use kubectl to check the kubernetes version
2017-08-11 17:59:57 +01:00
Liz Rice
2b4047a3c1
Merge pull request #28 from ttousai/errorhandling
...
Improve error handling.
2017-08-07 10:06:32 +01:00
Abubakr-Sadik Nii Nai Davis
7bb66dd2da
Rename warning printing functions.
...
printlnWarn: prints warning with a newline.
sprintWarn: returns an optionally contextualized warning string.
2017-08-06 16:59:03 +00:00
Abubakr-Sadik Nii Nai Davis
82c92e0078
Change function name to be clearer about the fact it returns a string.
2017-08-06 14:25:02 +00:00
Abubakr-Sadik Nii Nai Davis
f88de572f6
Improve error handling.
2017-07-25 00:34:07 +00:00
Abubakr-Sadik Nii Nai Davis
e08e069174
Update controls to CIS Kubernetes Benchmark v1.1.0
2017-07-24 17:30:13 +00:00
Abubakr-Sadik Nii Nai Davis
f589fd58e1
Add few modifications.
2017-07-13 01:01:18 +00:00
Abubakr-Sadik Nii Nai Davis
3d395994b0
Change environment variable prefix.
2017-07-13 00:24:57 +00:00
Abubakr-Sadik Nii Nai Davis
609c4ff01c
Move kubernetes binaries and config paths to kube-bench config.
2017-07-13 00:24:09 +00:00
Abubakr-Sadik Nii Nai Davis
2ee99eca64
Add support for various installation modes, hyperkube, kubeadm and kops.
...
Issue #17 .
2017-07-10 00:15:27 +00:00
Abubakr-Sadik Nii Nai Davis
bd53529387
Fix issue #16 about supporting verbosity.
2017-07-07 17:01:30 +00:00
Abubakr-Sadik Nii Nai Davis
06466d6573
Fix issue with kubernetes version check, where the master binary is
...
used for all modes including nodes and federated.
2017-07-06 18:31:18 +00:00
Abubakr-Sadik Nii Nai Davis
dbbafd54a5
Do not exit on command exit, print error message to stderr and continue.
2017-07-05 12:56:01 +00:00
Abubakr-Sadik Nii Nai Davis
6ee9bedfb8
Print verification warnings at only one point.
2017-07-04 16:53:39 +00:00
Abubakr-Sadik Nii Nai Davis
2119d119b0
Restore warning messages and dont quit on verification error.
2017-07-04 15:38:34 +00:00
Abubakr-Sadik Nii Nai Davis
d0d9900b29
Resolve issue #7 wait: error running audit command exit status 1.
...
This is caused by a command in the audit pipeline (for example
ps -ef | grep kube-apiserver) failing. The causes of this failure
in my testing is usually a missing config file.
Extensive refactor and correction in verification code to check for
config files and binaries.
Replace joncalhoun/pipes with implementation using exec.Cmds so errors
are visible and can be handled when audit pipeline commands fail.
Change some audit commands
from: ps -ef | grep <cmd> | grep -v
to: ps -C <something> -o comm,args --no-headers
which is simpler to work with.
2017-06-30 14:19:38 +00:00
Liz Rice
b4237ccb73
Better error handling when reading YAML files
2017-06-23 12:04:46 +01:00
Liz Rice
07750ea43a
Don't output message about config file if output format is JSON
2017-06-23 10:48:49 +01:00
Liz Rice
6340ee44c5
Don’t output warnings as text if we’re generating JSON output. Add error handling in a few missing cases. Some comment tidying.
2017-06-23 10:41:40 +01:00
Liz Rice
f6509b804e
Typo
2017-06-23 10:28:58 +01:00
Liz Rice
b36832e40c
Correct block-copy error in flanneld config directory
2017-06-23 09:58:46 +01:00
Liz Rice
1be52fb304
Add missing error output if JSON output can't be emitted
2017-06-23 09:40:53 +01:00
Liz Rice
0d6d3a03ef
Allow config file to be specified on the command line
2017-06-22 15:34:21 +01:00
Liz Rice
96364e3f29
Error if the config file can’t be found
2017-06-22 15:34:01 +01:00
Liz Rice
c07a8e2c81
Minor language improvement
2017-06-22 15:19:57 +01:00
jerbia
432651e85f
Added test 1.4.11 ( #8 )
2017-06-21 22:45:50 +03:00
Liz Rice
c3d67e0fee
Use colorPrint for config file info too
2017-06-20 11:10:11 +01:00
Liz Rice
b7a92799b9
Blue for info messages
2017-06-20 11:09:44 +01:00
Liz Rice
800c18ccf3
colorPrint for the output
...
Use the same format output for warnings even if they aren’t related to
a specific test ID
2017-06-20 09:54:17 +01:00
Liz Rice
dcd416a521
Executable name changes
...
Updates to travis file, readme and help text
2017-06-20 09:52:53 +01:00