John Schnake
6ffd382711
Add option to output in JUnit format ( #516 )
...
If running these checks in a CI system it may be beneficial
to output in a more standardized format such as JUnit for
parsing by other tools in a consistent manner.
Fixes #460
Signed-off-by: John Schnake <jschnake@vmware.com>
5 years ago
Roberto Rojas
b92d30bd11
Fixes issue #517 : Determines Kubernetes version using the REST API ( #518 )
...
* Fixes issue #517 : Determines Kubernetes version using the REST API
* fixes
* fixes
* adds tests
* fixes
* added more tests
* kubernetes_version_test: Add a missing case for invalid certs
Signed-off-by: Simarpreet Singh <simar@linux.com>
* kubernetes_version_test: Remove un-needed casts
Signed-off-by: Simarpreet Singh <simar@linux.com>
* fixes as per PR review
* fixes as per PR review
5 years ago
Sebastian Ehmann
09fb3c4fe4
Check error before deferring db.Close() ( #491 )
5 years ago
Roberto Rojas
7ca438b618
Fixes Issue 269 - Numbering to use CIS Versions ( #511 )
...
* starting benchmark flag
* Revert "starting benchmark flag"
This reverts commit 58fc948626
.
* fixes issue #269
* add more unit tests
* fix bug
* Update cmd/common.go
Co-Authored-By: Liz Rice <liz@lizrice.com>
* fixes as per PR review
* fixes as per PR review
* adds more tests
* fixed tests
* changes as per PR Review
* changes as per PR Review
* updated README
* Update README.md
Co-Authored-By: Liz Rice <liz@lizrice.com>
* Update README.md
Co-Authored-By: Liz Rice <liz@lizrice.com>
* Update README.md
Co-Authored-By: Liz Rice <liz@lizrice.com>
* Update README.md
Co-Authored-By: Liz Rice <liz@lizrice.com>
* changes are per PR review
5 years ago
Roberto Rojas
d5a02f7cb4
Fixes Issue #331 : Changes the Error Message When Programs are Missing ( #497 )
...
* changed error description for missing kubectl/kubelet execs
* adds function to generate error message for missing components
* adds function to generate error message for missing components
* adds function to generate error message for missing components
* Update cmd/util.go
Co-Authored-By: Liz Rice <liz@lizrice.com>
* Update cmd/util.go
Co-Authored-By: Liz Rice <liz@lizrice.com>
* Update cmd/util.go
Co-Authored-By: Liz Rice <liz@lizrice.com>
* Update cmd/util.go
Co-Authored-By: Liz Rice <liz@lizrice.com>
* Update cmd/util.go
Co-Authored-By: Liz Rice <liz@lizrice.com>
* fixed error message
* changes are per PR review
5 years ago
Roberto Rojas
13fe1cdfb8
Fixes issue #501 : specifying absolute path for both ps and cat ( #508 )
...
* fixes issue #501
* specify abolute path for ps and cat
5 years ago
Arpit Pandey
ce0137a31a
Fix few typos ( #469 )
5 years ago
Simarpreet Singh
d12a45bba9
Properly initialize viper library when checking for master components ( #434 )
...
* common_test: Add a failing test to show the SISEGV
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common: Go green by fixing isMaster() to instantiate viper
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common: Inject a seam for getBinariesFunc to be patched-in.
Also adds additional tests to showcase unhappy behaviors.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common_test: Rename TestIsMaster()
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common: init viper with master config
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common: Add a pre-check if valid yaml is passed but doesn't include master.
Also adds additional tests to showcase unhappy behaviors.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* mod: Upgrade viper to v1.4.0
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common: Refactor node only yaml to a file
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common: Log when master components are not found
Signed-off-by: Simarpreet Singh <simar@linux.com>
* common_test: Refactor subtests into a table
Signed-off-by: Simarpreet Singh <simar@linux.com>
5 years ago
Roberto Rojas
a6ee61fd08
Fixes issue #289 : removed versions prior to 1.11 ( #429 )
...
* removed version prior to 1.11
* removed references to kubernetes versions prior to 1.11
5 years ago
Roberto Rojas
3aa41db166
Issue #353 : Merges JSON and Exec Params files ( #426 )
...
* starts fixes #353
* new approach to minize duplications
* applied merged yaml files for v1.11 and v1.13
* yaml files json/params merged
* fixes to remove double quotes from numbers and booleans
* fixed bug
* fixed certificate check
* removed -json files
* changes based on PR review
* Update check/check_test.go
Yay more tests!
Co-Authored-By: Liz Rice <liz@lizrice.com>
* changes as PR review
* fixed bug when scored check is missing tests
* attempt to improve the code
* fixed list breaks
* removes handleError function
* Update check/check.go
Accepting suggested log level.
Co-Authored-By: Liz Rice <liz@lizrice.com>
5 years ago
Roberto Rojas
c22f81610d
removes federated ( #431 )
5 years ago
Abubakr-Sadik Nii Nai Davis
92df9cb36c
Read kubernetes version from environment ( #390 )
...
* Read kubernetes version from environment
Set kubernetes version to the value of the environment variable `KUBE_BENCH_VERSION` if it is defined and the flag `--version` is not specified on the kube-bench command line.
The command line flag `--version` takes precedence of the environment variable `KUBE_BENCH_VERSION` if both are defined.
* Add info about KUBE_BENCH_VERSION to README
5 years ago
Abubakr-Sadik Nii Nai Davis
3fba5f4dac
Fix version command failing because of missing config file it does not need. ( #377 )
...
* Fix version command failing because of missing config file it does
not need.
* Fix typo
* Remove reference to github issue in comment
5 years ago
zilard
b86dd92c91
Issue #348 : Refactor get<Thing>Files into getFiles ( #359 )
...
* issue #348 : replace everywhere get<Thing>Files with getFiles
5 years ago
zilard
d8528a1ec8
issue #234 : implement test 2.2.8 ( #343 )
...
* implement test 2.2.8
* Nit: correct indentation
The indentation looked a bit wonky due to spaces vs tabs; hopefully this corrects it
5 years ago
Liz Rice
25b2c5da5a
Add comment about procps limitation ( #333 )
5 years ago
patelpayal
e6e6333e6d
add glog flush to write the output to a file ( #329 )
...
* add glog flush to write the output to a file
* add glog flush before exit on error and fix code comment
5 years ago
Simarpreet Singh
3b7438e2f2
kube-bench: add version subcommand
...
Signed-off-by: Simarpreet Singh <simar@linux.com>
5 years ago
nshauli
e64f61fa7f
Add --outputfile flag for writing json results to output file ( #295 )
5 years ago
Liz Rice
a8c69b57e8
Merge branch 'master' into config-improvements
5 years ago
Liz Rice
e33e44b676
Correct debug messages
5 years ago
Yoav Hizkiahou
3aa28c4c32
Printing the actual test result of failed tests - when a flag is raised
...
fix #110
5 years ago
Liz Rice
aebd35a5ab
Update copyright date
5 years ago
Daniel Pacak
5fb133cd02
Adjust the semantics of scored and unscored flags
5 years ago
Daniel Pacak
306e1960af
Add flags to further filter CIS checks to run
5 years ago
Liz Rice
de623220e1
No need to load config just to check if components are running.
...
This also allows for there to be no master.yaml file, for environments where such a thing doesn’t need to exist
5 years ago
Liz Rice
596dae03d9
Don't assume master if 0 master binaries specified
5 years ago
Liz Rice
9246be924d
Merge branch 'master' into features/autodetect-nodetype
5 years ago
Cyril Tovena
5baf81a70a
Adds master node detection and a root command that automatically detect checks to run.
...
The root command will run node checks and if possible master checks.
I've also added some Makefile targets to improve local testing and improve the documentation.
5 years ago
Abubakr-Sadik Nii Nai Davis
a88b0703d8
Add kubeconfig variable substitution for kubelet and proxy.
...
There are checks for the kubeconfig for both kubelet and proxy which
the current kube-bench implementation does not check for properly.
kube-bench checks the wrong files.
This PR adds support for variable substitution for all the config file
types are that should be checked in the CIS benchmarks.
This PR also fixes a buggy in CIS 1.3.0 check 2.2.9, which checks for
ownership of the kubelet config file /var/lib/kubelet/config.yaml but
recommends changing ownership of kubelet kubeconfig file
/etc/kubernetes/kubelet.conf as remediation.
5 years ago
nshauli
e93bfc1aac
search for the kubelet binary when it is not in the path
5 years ago
Liz Rice
7626dc2705
Merge branch 'master' into bugfix-log-warnings-instead-of-print
5 years ago
Yoav Hizkiahou
082e9cf7e9
Bugfix: Logging warning instead of printing
...
Made all the warnings to be logged and not printed, so when using the json flag the output will be only in json format.
fix #217
5 years ago
Abubakr-Sadik Nii Nai Davis
911e9051dc
Merge remote-tracking branch 'origin/master' into ocp-configs
5 years ago
Abubakr-Sadik Nii Nai Davis
e899e941f7
Add OCP 3.10 benchmarks.
5 years ago
Weston Steimel
42ed8628de
Only get runningVersion if --version has not been provided
...
Signed-off-by: Weston Steimel <weston.steimel@gmail.com>
5 years ago
Yoav Hizkiahou
49f745af8e
Support new check type - skip:
...
If a check is marked with type "skip", it will be marked as Info.
Support scored property:
If a check is not scored and is not marked with type skip, it will be marked as Warn.
5 years ago
Weston Steimel
42f4152058
Only get runningVersion if --version has not been provided
...
Signed-off-by: Weston Steimel <weston.steimel@gmail.com>
6 years ago
Abubakr-Sadik Nii Nai Davis
ed21839464
Add getServiceFiles function.
...
The CIS benchmark check for node checks 2 config files for kubelet:
- kubelet config file (kubelet.conf)
- kubelet systemd unitfile (10-kubeadm.conf)
The getServiceFiles function gets candidates for kubelet systemd
unitfile and returns valid untifiles.
6 years ago
bvwells
cc43fcbb7e
Add link to CIS kubernetes benchmark
6 years ago
Liz Rice
ccc2b6c9ae
Shouldn't need kubelet or kubectl if version specified
6 years ago
Liz Rice
9d0141871a
Use new utility function for finding correct config files.
...
Improve order of message output
Remove unnecessary local variable
6 years ago
Liz Rice
344d2bfd24
Utility for getting the right config file for the Kubernetes version
6 years ago
Liz Rice
ecd14ed682
File substitutions should be a detailed log
6 years ago
Liz Rice
223ac14642
Don't override version specified on command line
6 years ago
Abubakr-Sadik Nii Nai Davis
6d237607fb
Fix typo in help text.
6 years ago
Abubakr-Sadik Nii Nai Davis
5da707b8d6
Remove CIS benchmark version in tool title.
...
it has grown stale and is dependent on k8s version we are checking.
6 years ago
Jeppe Fihl-Pearson
39d94df81b
Add tip about the `--version` flag to error output
...
If people are trying to use the Docker image to check their cluster, there's a
big likelyhood of them hitting the error message saying that either `kubectl`
or `kubelet` need to be found in order for `kube-bench` to be able to determine
the Kubernetes version in use.
This adds a tip that the version can be specified manually with the `--version`
flag which is a lot easier than having to make a new Docker image with the
right version of `kubelet`/`kubectl` in order for `kube-bench` to work.
6 years ago
Liz Rice
0b4872104d
Merge branch 'master' into feature/issue-107
6 years ago
Will Medlar
9469b1c124
Allow kubernetes version and config directory to be specified ( resolves #107 )
6 years ago
Abubakr-Sadik Nii Nai Davis
ade064006e
Add extra output manipulation flags, --noremediations, --nosummary and
...
--noresults.
These flags disable printing sections of the final output of kube-bench.
6 years ago
Liz Rice
728cb0765f
Use 1.8 tests for k8s 1.9 and 1.10
6 years ago
Philippe ALEXANDRE
f091c8adea
Remove the old lines of fmt.Sprintf in cmd/common.go
6 years ago
Philippe ALEXANDRE
d6c16f7563
Try to use kubelet when kubectl is unavailable
6 years ago
Philippe ALEXANDRE
c86d0ff81b
Replace fmt.Sprintf by filepath.Join
6 years ago
Liz Rice
58b6358a02
Merge branch 'master' into u/jaxxstorm/golint
7 years ago
Lee Briggs
94a1f3c41f
Lint all code for golint tests
7 years ago
Abubakr-Sadik Nii Nai Davis
64aaef7997
Fixed expected return for getKubeVersion.
7 years ago
Abubakr-Sadik Nii Nai Davis
53eb720952
Merge branch 'master' into unnecessary-warning
7 years ago
Abubakr-Sadik Nii Nai Davis
04f044e3b9
Add support for merging general and kubernetes version specific config files.
...
This change unifies all config files, podspecs and unitfiles under
a single component configuration key; `config`.
7 years ago
Liz Rice
97485419e2
Can't run kubectl on Travis so I don't know how this test ever worked
7 years ago
Liz Rice
730871f330
Fix kubeVersion regex tests
7 years ago
Abubakr-Sadik Nii Nai Davis
c93c94b3f6
Fix version check regexp.
7 years ago
Abubakr-Sadik Nii Nai Davis
c60c459bc4
Fix bug causing kubectl version to always return default version.
7 years ago
Abubakr-Sadik Nii Nai Davis
42a1068964
Add default version if version check fails.
7 years ago
Abubakr-Sadik Nii Nai Davis
f90dd925b8
Exit kube-bench if we can't get valid kubernetes server version and
...
improve error messages.
7 years ago
Abubakr-Sadik Nii Nai Davis
31b5910a7f
Remove unnecessary warnings about missing config files.
7 years ago
Steven Logue
909e6cc874
created database.go file and moved DB function into it
7 years ago
Liz Rice
1faeb55b67
Merge branch 'master' into master
7 years ago
Steven Logue
d79a2a5478
added support for saving scan results to pgsql
7 years ago
Abubakr-Sadik Nii Nai Davis
3dcc38d5c8
Fix issue with util test.
7 years ago
Abubakr-Sadik Nii Nai Davis
592dc81974
Remove unused variables.
7 years ago
Abubakr-Sadik Nii Nai Davis
cec1d9d6b3
Combine config reading functions into single function.
7 years ago
Abubakr-Sadik Nii Nai Davis
e227934c88
Add function to get unit files for kubernetes components.
7 years ago
Abubakr-Sadik Nii Nai Davis
6ce0c5bf60
Add function to get pod specs for kubernetes components.
7 years ago
Abubakr-Sadik Nii Nai Davis
018ad12a64
Log benchmark definition file at verbosity level 1.
7 years ago
Abubakr-Sadik Nii Nai Davis
73a37a0c16
Delete tests for verifyKubeVersion and support functions.
7 years ago
Abubakr-Sadik Nii Nai Davis
88a003090f
Delete verifyKubeVersion support functions.
7 years ago
Abubakr-Sadik Nii Nai Davis
a95d083049
Remove call to verifyKubeVersion.
...
This functionality is fulfilled by getKubeVersion.
7 years ago
Abubakr-Sadik Nii Nai Davis
d9e1eee2cd
Merge remote-tracking branch 'origin/master' into support for multiple
...
Kubernetes versions.
7 years ago
Abubakr-Sadik Nii Nai Davis
56fa20103a
Add function to retrieve Kubernetes server version.
...
The server version is used to load the correct benchmark check
to run against the Kubernetes cluster.
7 years ago
Liz Rice
c4be4a1240
Remove installation flag and some other unused variables
7 years ago
Liz Rice
de12829923
Correct test to cope with multi-line ps output
7 years ago
Liz Rice
e4a89123e0
Move message about which config file we’re using into a log at the start
7 years ago
Liz Rice
8380ad1ef3
Better detection of running executables
7 years ago
Liz Rice
d637d8714a
Fix and add tests
7 years ago
Liz Rice
a3197f8efe
Reorder YAML to make a bit more sense. Allow for optional components, and a config file that we don’t think exists.
7 years ago
Liz Rice
e4b905e360
Log when there’s no substitution
7 years ago
Liz Rice
f5550fd8bd
Node type is now verified by looking for running binaries from a set of options
7 years ago
Liz Rice
6a5a62b278
Autodetect the binaries and config files from a set of options
7 years ago
Liz Rice
f5cef922cc
Functions and tests for finding binaries and config files
7 years ago
Liz Rice
7600dd9dd6
Make the ps / fakeps function global so we don’t have to pass it around so much
7 years ago
Liz Rice
0bc00e0036
Slightly more robust looking for running executables
7 years ago
Liz Rice
9114e139cf
Function to find which of a set of executables is running
7 years ago
Liz Rice
6b9f117f87
Allow for multiple words in executable names
7 years ago
Liz Rice
34f8b8e980
Simplify verifying binaries and config files
7 years ago
Liz Rice
86d49b1b1a
We don’t care whether the binaries are in our path or not, just whether they are running
7 years ago
Liz Rice
96c469669c
Use kubectl to check the kubernetes version
7 years ago
Liz Rice
2b4047a3c1
Merge pull request #28 from ttousai/errorhandling
...
Improve error handling.
7 years ago
Abubakr-Sadik Nii Nai Davis
7bb66dd2da
Rename warning printing functions.
...
printlnWarn: prints warning with a newline.
sprintWarn: returns an optionally contextualized warning string.
7 years ago