mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-18 20:58:10 +00:00
7027b6b2ec
* Create cis-1.9 yamls and Update info - policies.yaml - 5.1.1 to 5.1.6 were adapted from Manual to Automated - 5.1.3 got broken down into 5.1.3.1 and 5.1.3.2 - 5.1.6 got broken down into 5.1.6.1 and 5.1.6.2 - version was set to cis-1.9 - node.yaml master.yaml controlplane.yaml etcd.yaml - version was set to cis-1.9 * Adapt master.yaml - Expand 1.1.13/1.1.14 checks by adding super-admin.conf to the permission and ownership verification - Remove 1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual) - Adjust numbering from 1.2.12 to 1.2.29 * Adjust policies.yaml - Check 5.2.3 to 5.2.9 Title Automated to Manual * Append node.yaml - Create 4.3 kube-config group - Create 4.3.1 Ensure that the kube-proxy metrics service is bound to localhost (Automated) * Adjust policies 5.1.3 and 5.1.6 - Merge 5.1.3.1 and 5.1.3.2 into 5.1.3 (use role_is_compliant and clusterrole_is_compliant) - Remove 5.1.6.1 and promote 5.1.6.2 to 5.1.6 since it natively covered 5.1.6.1 artifacts * Add kubectl dependency and update publish - Download kubectl (build stage) based on version and architecture - Add binary checksum verification - Use go env GOARCH for ARCH
109 lines
4.0 KiB
Makefile
109 lines
4.0 KiB
Makefile
SOURCES := $(shell find . -name '*.go')
|
|
BINARY := kube-bench
|
|
DOCKER_ORG ?= aquasec
|
|
VERSION ?= $(shell git rev-parse --short=7 HEAD)
|
|
KUBEBENCH_VERSION ?= $(shell git describe --tags --abbrev=0)
|
|
IMAGE_NAME ?= $(DOCKER_ORG)/$(BINARY):$(VERSION)
|
|
IMAGE_NAME_UBI ?= $(DOCKER_ORG)/$(BINARY):$(VERSION)-ubi
|
|
GOOS ?= linux
|
|
BUILD_OS := linux
|
|
uname := $(shell uname -s)
|
|
BUILDX_PLATFORM ?= linux/amd64,linux/arm64,linux/arm,linux/ppc64le,linux/s390x
|
|
DOCKER_ORGS ?= aquasec public.ecr.aws/aquasecurity
|
|
GOARCH ?= $@
|
|
KUBECTL_VERSION ?= 1.28.7
|
|
ARCH ?= $(shell go env GOARCH)
|
|
|
|
ifneq ($(findstring Microsoft,$(shell uname -r)),)
|
|
BUILD_OS := windows
|
|
else ifeq ($(uname),Linux)
|
|
BUILD_OS := linux
|
|
else ifeq ($(uname),Darwin)
|
|
BUILD_OS := darwin
|
|
endif
|
|
|
|
# kind cluster name to use
|
|
KIND_PROFILE ?= kube-bench
|
|
KIND_CONTAINER_NAME=$(KIND_PROFILE)-control-plane
|
|
KIND_IMAGE ?= kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6
|
|
|
|
# build a multi-arch image and push to Docker hub
|
|
.PHONY: docker
|
|
docker:
|
|
set -xe; \
|
|
for org in $(DOCKER_ORGS); do \
|
|
docker buildx build --tag $${org}/kube-bench:${VERSION} \
|
|
--platform $(BUILDX_PLATFORM) --push . ; \
|
|
done
|
|
|
|
build: $(BINARY)
|
|
|
|
$(BINARY): $(SOURCES)
|
|
GOOS=$(GOOS) CGO_ENABLED=0 go build -ldflags "-X github.com/aquasecurity/kube-bench/cmd.KubeBenchVersion=$(KUBEBENCH_VERSION)" -o $(BINARY) .
|
|
|
|
build-fips:
|
|
GOOS=$(GOOS) CGO_ENABLED=0 GOEXPERIMENT=boringcrypto go build -tags fipsonly -ldflags "-X github.com/aquasecurity/kube-bench/cmd.KubeBenchVersion=$(KUBEBENCH_VERSION)" -o $(BINARY) .
|
|
|
|
# builds the current dev docker version
|
|
build-docker:
|
|
docker build --build-arg BUILD_DATE=$(shell date -u +"%Y-%m-%dT%H:%M:%SZ") \
|
|
--build-arg VCS_REF=$(VERSION) \
|
|
--build-arg KUBEBENCH_VERSION=$(KUBEBENCH_VERSION) \
|
|
--build-arg KUBECTL_VERSION=$(KUBECTL_VERSION) \
|
|
--build-arg TARGETARCH=$(ARCH) \
|
|
-t $(IMAGE_NAME) .
|
|
|
|
build-docker-ubi:
|
|
docker build -f Dockerfile.ubi --build-arg BUILD_DATE=$(shell date -u +"%Y-%m-%dT%H:%M:%SZ") \
|
|
--build-arg VCS_REF=$(VERSION) \
|
|
--build-arg KUBEBENCH_VERSION=$(KUBEBENCH_VERSION) \
|
|
--build-arg KUBECTL_VERSION=$(KUBECTL_VERSION) \
|
|
--build-arg TARGETARCH=$(ARCH) \
|
|
-t $(IMAGE_NAME_UBI) .
|
|
|
|
# unit tests
|
|
tests:
|
|
GO111MODULE=on go test -vet all -short -race -timeout 30s -coverprofile=coverage.txt -covermode=atomic ./...
|
|
|
|
integration-test: kind-test-cluster kind-run
|
|
|
|
# creates a kind cluster to be used for development.
|
|
HAS_KIND := $(shell command -v kind;)
|
|
kind-test-cluster:
|
|
ifndef HAS_KIND
|
|
go get -u sigs.k8s.io/kind
|
|
endif
|
|
@if [ -z $$(kind get clusters | grep $(KIND_PROFILE)) ]; then\
|
|
echo "Could not find $(KIND_PROFILE) cluster. Creating...";\
|
|
kind create cluster --name $(KIND_PROFILE) --image $(KIND_IMAGE) --wait 5m;\
|
|
fi
|
|
|
|
# pushes the current dev version to the kind cluster.
|
|
kind-push: build-docker
|
|
kind load docker-image $(IMAGE_NAME) --name $(KIND_PROFILE)
|
|
|
|
# runs the current version on kind using a job and follow logs
|
|
kind-run: KUBECONFIG = "./kubeconfig.kube-bench"
|
|
kind-run: kind-push
|
|
sed "s/\$${VERSION}/$(VERSION)/" ./hack/kind.yaml > ./hack/kind.test.yaml
|
|
kind get kubeconfig --name="$(KIND_PROFILE)" > $(KUBECONFIG)
|
|
-KUBECONFIG=$(KUBECONFIG) \
|
|
kubectl delete job kube-bench
|
|
KUBECONFIG=$(KUBECONFIG) \
|
|
kubectl apply -f ./hack/kind.test.yaml && \
|
|
kubectl wait --for=condition=complete job.batch/kube-bench --timeout=60s && \
|
|
kubectl logs job/kube-bench > ./test.data && \
|
|
diff ./test.data integration/testdata/Expected_output.data
|
|
|
|
kind-run-stig: KUBECONFIG = "./kubeconfig.kube-bench"
|
|
kind-run-stig: kind-push
|
|
sed "s/\$${VERSION}/$(VERSION)/" ./hack/kind-stig.yaml > ./hack/kind-stig.test.yaml
|
|
kind get kubeconfig --name="$(KIND_PROFILE)" > $(KUBECONFIG)
|
|
-KUBECONFIG=$(KUBECONFIG) \
|
|
kubectl delete job kube-bench
|
|
KUBECONFIG=$(KUBECONFIG) \
|
|
kubectl apply -f ./hack/kind-stig.test.yaml && \
|
|
kubectl wait --for=condition=complete job.batch/kube-bench --timeout=60s && \
|
|
kubectl logs job/kube-bench > ./test.data && \
|
|
diff ./test.data integration/testdata/Expected_output_stig.data
|