Liz Rice
fa60fb68fd
Add job for EKS
2019-04-11 18:45:16 +01:00
Liz Rice
27dc75fefa
No need for unused master config file.
...
Better comments in config file
2019-04-11 18:36:30 +01:00
Liz Rice
de623220e1
No need to load config just to check if components are running.
...
This also allows for there to be no master.yaml file, for environments where such a thing doesn’t need to exist
2019-04-11 18:34:22 +01:00
Liz Rice
596dae03d9
Don't assume master if 0 master binaries specified
2019-04-11 17:19:50 +01:00
Liz Rice
902a10f1c7
Just have one path for both json and yaml
2019-04-11 17:09:33 +01:00
Liz Rice
9b034024a7
Complete merge where test numbers changes
2019-04-11 10:21:19 +01:00
Liz Rice
c887794807
Merge branch 'master' into feature/json-config
2019-04-11 10:03:07 +01:00
Liz Rice
d30786da4a
Merge pull request #258 from aquasecurity/fix-241
...
Add ":" as a valid flag-value separator for tests
2019-04-11 09:37:39 +01:00
Liz Rice
c03e958311
Merge branch 'master' into fix-241
2019-04-11 09:34:02 +01:00
Liz Rice
241972c659
Merge pull request #249 from aquasecurity/document-output
...
Document output states
2019-04-11 09:18:34 +01:00
Liz Rice
d93ed0acca
Merge branch 'master' into fix-241
2019-04-11 09:05:18 +01:00
Liz Rice
b5f3299e92
Merge branch 'master' into document-output
2019-04-11 09:04:04 +01:00
Liz Rice
588d75d20d
Merge pull request #251 from aquasecurity/version-mapping
...
Add CIS & Kubernetes version mapping to README
2019-04-11 09:03:44 +01:00
Abubakr-Sadik Nii Nai Davis
4b8a7ffbe1
Add ":" as a valid flag-value separator for tests
...
This is useful for checking values in YAML (possibly JSON) kubernetes config files.
2019-04-10 22:47:26 +00:00
Liz Rice
651b72f7d1
Merge branch 'master' into document-output
2019-04-10 08:45:55 +01:00
Liz Rice
0c40532e76
Merge branch 'master' into version-mapping
2019-04-10 08:31:04 +01:00
Liz Rice
54502c5f75
Merge pull request #247 from aquasecurity/yoavrotems-patch-2
...
Update master.yaml
2019-03-27 14:24:03 +00:00
Liz Rice
df556c2f42
Add CIS & Kubernetes version mapping to README
2019-03-27 14:21:22 +00:00
Liz Rice
488f5221ef
Document output states
...
Also describe how tests can be omitted by editing the YAML
2019-03-26 10:37:17 +00:00
Liz Rice
b1ce0a9a75
Merge branch 'master' into yoavrotems-patch-2
2019-03-26 09:51:03 +00:00
Liz Rice
0f86bfc060
Merge pull request #246 from aquasecurity/yoavrotems-patch-1
...
Update master.yaml
2019-03-26 09:41:40 +00:00
yoavrotems
d059196b71
Update master.yaml
...
Fix 1.1.23 to check *if* --service-account-lookup argument is set and if so then if it's equal to true
2019-03-25 14:41:06 +02:00
yoavrotems
a85e5a7759
Update master.yaml
...
Fix title of 1.4.21 from 644 to 600 according to cis benchmark
2019-03-25 14:33:52 +02:00
Florent Delannoy
abfc38d672
Update documentation after review
2019-03-21 15:05:20 +00:00
Florent Delannoy
4d3144ca21
Support JSON and YAML configuration
...
Support new configuration options besides --flags:
- JSON file through `jsonpath`
- YAML file through `yamlpath`
These new options are fully backwards-compatible with the existing
tests.
Added a new profile, 1.11-json, that expects a JSON kubelet
configuration file and scores accordingly. This profile is compatible
with EKS.
2019-03-21 12:13:31 +00:00
Liz Rice
573136a700
Merge pull request #238 from Kuqd/features/autodetect-nodetype
...
Adds master node detection - thanks @Kuqd!
2019-03-18 18:43:13 +00:00
Liz Rice
9246be924d
Merge branch 'master' into features/autodetect-nodetype
2019-03-13 20:36:19 -07:00
Cyril Tovena
5baf81a70a
Adds master node detection and a root command that automatically detect checks to run.
...
The root command will run node checks and if possible master checks.
I've also added some Makefile targets to improve local testing and improve the documentation.
2019-03-12 19:32:05 -04:00
Liz Rice
c4c0d911d4
Merge pull request #237 from aquasecurity/openshift
...
Update openshift executable config
2019-03-07 14:53:22 +00:00
Liz Rice
9b3628e76a
Update openshift executable config for #236
2019-03-07 11:18:06 +00:00
Liz Rice
8745df170a
Merge pull request #233 from aquasecurity/clean-ocp-configs
...
Clean up OCP benchmark config.
2019-03-07 09:30:18 +00:00
Liz Rice
1ead9e1d71
Merge branch 'master' into clean-ocp-configs
2019-03-07 09:22:47 +00:00
Liz Rice
772d2e26b4
Merge pull request #226 from aquasecurity/add-new-cfg-version1.4
...
add new config files from the new CIS Kubernetes Benchmark
2019-03-06 13:35:17 +00:00
Abubakr-Sadik Nii Nai Davis
53ed68a0b2
Clean up OCP benchmark config.
...
The OCP benchmarks uses configs for only binary component variable names.
This commit cleans up the OCP config by removing all configuration
except those component binaries required to run kube-bench on OCP
installations and adds missing ones.
2019-03-06 12:02:58 +00:00
yoavrotems
c6102f0a1b
Fix the files
...
Fix the start from 1.11 to 1.13 and adding changes from pull #227 , and pull #228 .
2019-03-06 11:26:36 +00:00
yoavrotems
e534392525
Delete node.yaml
...
replace with the new node.yaml file
2019-03-06 13:24:14 +02:00
yoavrotems
5f09ecef44
Delete master.yaml
...
replace with the new master.yaml file
2019-03-06 13:23:49 +02:00
yoavrotems
a7d9e06c1b
Delete config.yaml
...
replace with the new config.yaml file
2019-03-06 13:23:18 +02:00
yoavrotems
50f22e7f13
Merge branch 'master' into add-new-cfg-version1.4
2019-03-06 11:16:36 +00:00
Liz Rice
2d4019aabe
Merge pull request #228 from aquasecurity/fix-208
...
Fix issues with checks for kubelet configuration files
2019-03-03 11:10:05 +00:00
Liz Rice
dd8e7ec874
Merge branch 'master' into fix-208
2019-03-03 09:45:16 +00:00
Abubakr-Sadik Nii Nai Davis
d255b49d4b
Revert 1.8 config file.
2019-03-02 17:20:46 +00:00
Liz Rice
0a58805cdb
Merge pull request #227 from aquasecurity/fix-false-detections
...
Only find flags on the process we really want
2019-02-28 10:48:23 +08:00
Liz Rice
c18d8a2234
Merge branch 'master' into fix-false-detections
2019-02-28 10:38:41 +08:00
Abubakr-Sadik Nii Nai Davis
a88b0703d8
Add kubeconfig variable substitution for kubelet and proxy.
...
There are checks for the kubeconfig for both kubelet and proxy which
the current kube-bench implementation does not check for properly.
kube-bench checks the wrong files.
This PR adds support for variable substitution for all the config file
types are that should be checked in the CIS benchmarks.
This PR also fixes a buggy in CIS 1.3.0 check 2.2.9, which checks for
ownership of the kubelet config file /var/lib/kubelet/config.yaml but
recommends changing ownership of kubelet kubeconfig file
/etc/kubernetes/kubelet.conf as remediation.
2019-02-27 22:15:14 +00:00
Abubakr-Sadik Nii Nai Davis
3f98c1def2
Fix wrong reference to kubelet.config in node checks.
...
This fix applies to only checks for kubernetes versions 1.8 and 1.11.
See https://github.com/aquasecurity/kube-bench/pull/208 .
2019-02-27 22:14:19 +00:00
Liz Rice
d712db47a2
Only find flags on the process we really want
2019-02-28 01:33:21 +08:00
yoavrotems
82150fdc63
add new config files from the new CIS Kubernetes Benchmark
...
there is a new update at CIS_Kubernetes_Benchmark_v1.4.0 for Kubernetes 1.13
2019-02-27 10:39:32 +00:00
Liz Rice
c824daeb15
Merge pull request #222 from nshauli/search_for_kubelet_binary_when_not_in_path
...
search for the kubelet binary when it is not in the path
2019-02-19 16:07:20 +00:00
nshauli
e93bfc1aac
search for the kubelet binary when it is not in the path
2019-02-19 16:38:10 +02:00