update the yaml according (#410)

The update is from the new cis version 1.4.1.
like been done in https://github.com/aquasecurity/kube-bench/issues/370

.gitignore

@@ -4,5 +4,6 @@ vendor
 dist
 .vscode/
 hack/kind.test.yaml
+coverage.txt
 
-.idea/
+.idea/

.goreleaser.yml

@@ -1,8 +1,9 @@
+env:
+  - GO111MODULE=on
 builds:
   - main: main.go
     binary: kube-bench
     goos:
-      - darwin
       - linux
     goarch:
       - amd64

.travis.yml

@@ -13,6 +13,7 @@ before_install:
   - sudo apt-get -qq update
   - sudo apt-get install -y rpm
   - gem install --no-ri --no-rdoc fpm
+  - go get -t -v ./...
 
 script:
   - GO111MODULE=on go test ./...
@@ -20,10 +21,20 @@ script:
   - docker run -v `pwd`:/host kube-bench install 
   - test -d cfg
   - test -f kube-bench
-
+  - make tests
+  
 after_success:
-  - test -n "$TRAVIS_TAG" && curl -sL https://git.io/goreleaser | bash
+  - bash <(curl -s https://codecov.io/bash)
+deploy:
+  - provider: script
+    skip_cleanup: true
+    script: curl -sL https://git.io/goreleaser | bash
+    on:
+      tags: true
+      condition: "$TRAVIS_OS_NAME = linux"
 
 env:
   global:
     secure: mb8AYZKDo6hkKN+2F9ldXcw27Yn2AfxpXvKlD8GD7NdGOI+TaiSFbE0I+qqTa/1DqcRekCQwqN7OG/17s9JDkgzUXYuYUGlVUOM4WbeJoSlzJFIOh9r9R/JddluYJohypgkE20IBHIrEHq5sY0Nn1Pl9WgSQFaVcQjxkX009AOuVjN0o5HcoXsb5hAzvHrpoSPkcSSqq7VWab60TgUttVaRlZSGwGdSYQEqk5TdO0hWHuXyxaaEPybgFIyZLLbxPS4JmMz8n3Sngetpw9Jgc+V9Fc7wKXpjvZZ33SpArG5p5ZFFu2YQOXFLZth9qtQOjduQ2gU1kHN6WjWnJ8QX2s8vmU38Tk19kd5i+mz9dvc87IdBvmTIqVYSpM6AAYa2osBGP3f97Rj2S68lTad4ecSVyHdsjz56vdE3ZH4wskswmogbKkVdvO4biPHxT6odszBxYLEJuRJyZ7ckXd52MCzqAUPrw7YUuH8N1mLIlf7V5bW5R+q4DlKw774zxnHiWrymXGvlINSrB0qxBn8Fii6ib+Pacl3PuqSumCcgIHlVjqrzIXaqcTMn2/ABZYC99mralGvwA/EgNa8CBKB5evMCEwWa5Ntvcs2I2DFcO5Q2WzN4H0YScyAzzCzK7/3hWJE/rUIJntwiSXkV3MSa1yxWSGGH8F1lcz+lzgTBm/MU=
+  matrix:
+    - GO111MODULE=on

README.md

@@ -2,7 +2,10 @@
 [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 [![Docker image](https://images.microbadger.com/badges/image/aquasec/kube-bench.svg)](https://microbadger.com/images/aquasec/kube-bench "Get your own image badge on microbadger.com")
 [![Source commit](https://images.microbadger.com/badges/commit/aquasec/kube-bench.svg)](https://microbadger.com/images/aquasec/kube-bench)
+[![Coverage Status][cov-img]][cov]
 
+[cov-img]: https://codecov.io/github/aquasecurity/kube-bench/branch/master/graph/badge.svg
+[cov]: https://codecov.io/github/aquasecurity/kube-bench
 <img src="images/kube-bench.png" width="200" alt="kube-bench logo">
 
 kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/). 
@@ -23,7 +26,7 @@ kube-bench supports the tests for Kubernetes as defined in the CIS Benchmarks 1.
 | 1.1.0| 1.7 | 1.7 |
 | 1.2.0| 1.8 | 1.8-1.10 |
 | 1.3.0| 1.11 | 1.11-1.12 |
-| 1.4.0| 1.13 | 1.13- |
+| 1.4.1| 1.13 | 1.13- |
 
 By default kube-bench will determine the test set to run based on the Kubernetes version running on the machine.
 
@@ -37,21 +40,53 @@ You can choose to
 * install the latest binaries from the [Releases page](https://github.com/aquasecurity/kube-bench/releases),
 * compile it from source.
 
+## Running kube-bench
+
+kube-bench automatically selects which `controls` to use based on the detected
+node type and the version of kubernetes a cluster is running. This behaviour
+can be overridden by specifying the `master` or `node` subcommand and the
+`--version` flag on the command line. 
+
+The kubernetes version can also be set with the KUBE_BENCH_VERSION environment variable.
+The value of `--version` takes precedence over the value of KUBE_BENCH_VERSION.
+
+For example:
+run kube-bench against a master with version auto-detection:
+
+```
+kube-bench master
+```
+
+or run kube-bench against a node with the node `controls` for kubernetes 
+version 1.13:
+```
+kube-bench node --version 1.13
+```
+
+`controls` for the various versions of kubernetes can be found in directories
+with same name as the kubernetes versions under `cfg/`, for example `cfg/1.13`.
+`controls` are also organized by distribution under the `cfg` directory for
+example `cfg/ocp-3.10`.
+
 ### Running inside a container
 
-You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace and mounting the `/etc` and `/var` directories where the configuration and other files are located on the host, so that kube-bench can check their existence and permissions.
+You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace and mounting the `/etc` and `/var` directories where the configuration and other files are located on the host, so that kube-bench can check their existence and permissions. 
 
 ```
-docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t aquasec/kube-bench:latest [master|node]
+docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t aquasec/kube-bench:latest [master|node] --version 1.13
 ```
 
-You can even use your own configs by mounting them over the default ones in `/opt/kube-bench/cfg/`
+> Note: the tests require either the kubelet or kubectl binary in the path in order to auto-detect the Kubernetes version. You can pass `-v $(which kubectl):/usr/bin/kubectl` to resolve this. You will also need to pass in kubeconfig credentials. For example:
 
 ```
-docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest [master|node]
+docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -v $(which kubectl):/usr/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config -t aquasec/kube-bench:latest [master|node] 
 ```
 
-> Note: the tests require either the kubelet or kubectl binary in the path in order to auto-detect the Kubernetes version. You can pass `-v $(which kubectl):/usr/bin/kubectl` to the above invocations to resolve this.
+You can use your own configs by mounting them over the default ones in `/opt/kube-bench/cfg/`
+
+```
+docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yam -v $(which kubectl):/usr/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config aquasec/kube-bench:latest [master|node]
+```
 
 ### Running in a kubernetes cluster
 
@@ -129,19 +164,6 @@ go build -o kube-bench .
 
 kube-bench includes a set of test files for Red Hat's OpenShift hardening guide for OCP 3.10 and 3.11. To run this you will need to specify `--version ocp-3.10` when you run the `kube-bench` command (either directly or through YAML). This config version is valid for OCP 3.10 and 3.11. 
 
-## Configuration
-
-Kubernetes config and binary file locations and names can vary from installation to installation, so these are configurable in the `cfg/config.yaml` file.
-
-Any settings in the version-specific config file `cfg/<version>/config.yaml` take precedence over settings in the main `cfg/config.yaml` file.
-
-For each type of node (*master*, *node* or *federated*) there is a list of components, and for each component there is a set of binaries (*bins*) and config files (*confs*) that kube-bench will look for (in the order they are listed). If your installation uses a different binary name or config file location for a Kubernetes component, you can add it to `cfg/config.yaml`.
-
-* **bins** - If there is a *bins* list for a component, at least one of these binaries must be running. The tests will consider the parameters for the first binary in the list found to be running.
-* **podspecs** - From version 1.2.0 of the benchmark (tests for Kubernetes 1.8), the remediation instructions were updated to assume that the configuration for several kubernetes components is defined in a pod YAML file, and podspec settings define where to look for that configuration.
-* **confs** - If one of the listed config files is found, this will be considered for the test. Tests can continue even if no config file is found. If no file is found at any of the listed locations, and a *defaultconf* location is given for the component, the test will give remediation advice using the *defaultconf* location.
-* **unitfiles** - From version 1.2.0 of the benchmark  (tests for Kubernetes 1.8), the remediation instructions were updated to assume that kubelet configuration is defined in a service file, and this setting defines where to look for that configuration.
-
 ## Output
 
 There are three output states
@@ -149,37 +171,17 @@ There are three output states
 - [WARN] means this test needs further attention, for example it is a test that needs to be run manually 
 - [INFO] is informational output that needs no further action.
 
+## Configuration
+
+Kubernetes config and binary file locations and names can vary from installation to installation, so these are configurable in the `cfg/config.yaml` file.
+
+Any settings in the version-specific config file `cfg/<version>/config.yaml` take precedence over settings in the main `cfg/config.yaml` file.
+
+You can read more about `kube-bench` configuration in our [documentation](docs/README.md#configuration-and-variables).
+
 ## Test config YAML representation
-The tests are represented as YAML documents (installed by default into ./cfg).
 
-An example is as listed below:
-```
----
-controls:
-id: 1
-text: "Master Checks"
-type: "master"
-groups:
-- id: 1.1
-  text: "Kube-apiserver"
-  checks:
-    - id: 1.1.1
-      text: "Ensure that the --allow-privileged argument is set (Scored)"
-      audit: "ps -ef | grep kube-apiserver | grep -v grep"
-      tests:
-      bin_op: or
-      test_items:
-      - flag: "--allow-privileged"
-        set: true
-      - flag: "--some-other-flag"
-        set: false
-      remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
-      scored: true
-```
-
-Recommendations (called `checks` in this document) can run on Kubernetes Master, Node or Federated API Servers.
-Checks are organized into `groups` which share similar controls (things to check for) and are grouped together in the section of the CIS Kubernetes document.
-These groups are further organized under `controls` which can be of the type `master`, `node` or `federated apiserver` to reflect the various Kubernetes node types.
+The tests (or "controls") are represented as YAML documents (installed by default into ./cfg). There are different versions of these test YAML files reflecting different versions of the CIS Kubernetes Benchmark. You will find more information about the test file YAML definitions in our [documentation](docs/README.md).
 
 ### Omitting checks
 
@@ -195,47 +197,6 @@ If you decide that a recommendation is not appropriate for your environment, you
 
 No tests will be run for this check and the output will be marked [INFO].
 
-## Tests
-Tests are the items we actually look for to determine if a check is successful or not. Checks can have multiple tests, which must all be successful for the check to pass.
-
-The syntax for tests:
-```
-tests:
-- flag:
-  set:
-  compare:
-    op:
-    value:
-...
-```
-
-You can also define jsonpath and yamlpath tests using the following syntax:
-
-```
-tests:
-- path:
-  set:
-  compare:
-    op:
-    value:
-...
-```
-
-Tests have various `operations` which are used to compare the output of audit commands for success.
-These operations are:
-
-- `eq`: tests if the flag value is equal to the compared value.
-- `noteq`: tests if the flag value is unequal to the compared value.
-- `gt`: tests if the flag value is greater than the compared value.
-- `gte`: tests if the flag value is greater than or equal to the compared value.
-- `lt`: tests if the flag value is less than the compared value.
-- `lte`: tests if the flag value is less than or equal to the compared value.
-- `has`: tests if the flag value contains the compared value.
-- `nothave`: tests if the flag value does not contain the compared value.
-- `regex`: tests if the flag value matches the compared value regular expression.
-
-When defining regular expressions in YAML it is generally easier to wrap them in single quotes, for example `'^[abc]$'`, to avoid issues with string escaping.
-
 # Roadmap
 Going forward we plan to release updates to kube-bench to add support for new releases of the Benchmark, which in turn we can anticipate being made for each new Kubernetes release.
 
@@ -284,6 +245,6 @@ We welcome pull requests!
 - Your PR is more likely to be accepted if it focuses on just one change.
 - Please include a comment with the results before and after your change. 
 - Your PR is more likely to be accepted if it includes tests. (We have not historically been very strict about tests, but we would like to improve this!). 
-- You're welcome to submit a **WIP** *(work in progress)* PR if you would like early feedback on an idea or an approach. 
+- You're welcome to submit a draft PR if you would like early feedback on an idea or an approach. 
 - Happy coding!
 

cfg/1.11-json/node.yaml

@@ -10,6 +10,9 @@ groups:
   checks:
   - id: 2.1.1
     text: "Ensure that the --allow-privileged argument is set to false (Scored)"
+    # This is one of those properties that can only be set as a command line argument. 
+    # To check if the property is set as expected, we need to parse the kubelet command 
+    # instead reading the Kubelet Configuration file.
     audit: "ps -fC $kubeletbin"
     tests:
       test_items:
@@ -93,10 +96,7 @@ groups:
     text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
     audit: "cat $kubeletconf"
     tests:
-      bin_op: or
       test_items:
-      - path: "{.readOnlyPort}"
-        set: false
       - path: "{.readOnlyPort}"
         compare:
           op: eq
@@ -319,7 +319,7 @@ groups:
         set: true
     remediation: |
       If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
-      If using executable arguments, edit the kubelet service file $kubeletconf on each worker node and set the below parameter.
+      If using executable arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter.
       --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
     scored: false
 
@@ -436,6 +436,10 @@ groups:
         Run the below command (based on the file location on your system) on the each worker
         node. For example,
         chmod 644 $proxykubeconfig
+
+        Note - This test reports "FAIL" if kube-proxy has been configured
+        using a kubernetes configMap. Only under this situation, the "FAIL" can safely be ignored 
+        as the kube-proxy does not expose the kubeconfig file to the worker node.
       scored: true
 
     - id: 2.2.6
@@ -449,6 +453,10 @@ groups:
           Run the below command (based on the file location on your system) on the each worker
           node. For example,
           chown root:root $proxykubeconfig
+                 
+          Note - This test reports "FAIL" if kube-proxy has been configured
+          using a kubernetes configMap. Only under this situation, the "FAIL" can safely be ignored 
+          as the kube-proxy does not expose the kubeconfig file to the worker node.
       scored: true
 
     - id: 2.2.7
@@ -462,8 +470,14 @@ groups:
 
     - id: 2.2.8
       text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
-      audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
-      type: manual
+      audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'"
+      tests:
+        test_items:
+          - flag: "root:root"
+            compare:
+              op: eq
+              value: root:root
+            set: true
       remediation: |
         Run the following command to modify the ownership of the --client-ca-file .
         chown root:root <filename>

cfg/1.11/master.yaml

@@ -153,12 +153,15 @@ groups:
     text: "Ensure that the admission control plugin AlwaysAdmit is not set (Scored)"
     audit: "ps -ef | grep $apiserverbin | grep -v grep"
     tests:
+      bin_op: or
       test_items:
       - flag: "--enable-admission-plugins"
         compare:
           op: nothave
           value: AlwaysAdmit
         set: true
+      - flag: "--enable-admission-plugins"
+        set: false
     remediation: |
       Edit the API server pod specification file $apiserverconf
       on the master node and set the --enable-admission-plugins parameter to a
@@ -438,12 +441,15 @@ groups:
     text: "Ensure that the admission control plugin ServiceAccount is set(Scored)"
     audit: "ps -ef | grep $apiserverbin | grep -v grep"
     tests:
+      bin_op: or
       test_items:
       - flag: "--enable-admission-plugins"
         compare:
           op: has
           value: "ServiceAccount"
         set: true
+      - flag: "--enable-admission-plugins"
+        set: false
     remediation: |
       Follow the documentation and create ServiceAccount objects as per your environment.
       Then, edit the API server pod specification file $apiserverconf
@@ -1232,7 +1238,6 @@ groups:
     text: "Ensure that the --peer-cert-file and --peer-key-file arguments are
     set as appropriate (Scored)"
     audit: "ps -ef | grep $etcdbin | grep -v grep"
-    type: "manual"
     tests:
       bin_op: and
       test_items:
@@ -1251,7 +1256,6 @@ groups:
   - id: 1.5.5
     text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)"
     audit: "ps -ef | grep $etcdbin | grep -v grep"
-    type: "manual"
     tests:
       test_items:
       - flag: "--peer-client-cert-auth"
@@ -1268,7 +1272,6 @@ groups:
   - id: 1.5.6
     text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)"
     audit: "ps -ef | grep $etcdbin | grep -v grep"
-    type: "manual"
     tests:
       bin_op: or
       test_items:

cfg/1.11/node.yaml

@@ -114,12 +114,15 @@ groups:
     text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
     audit: "ps -fC $kubeletbin"
     tests:
+      bin_op: or
       test_items:
       - flag: "--streaming-connection-idle-timeout"
         compare:
           op: noteq
           value: 0
         set: true
+      - flag: "--streaming-connection-idle-timeout"
+        set: false
     remediation: |
       If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
       value other than 0.
@@ -264,12 +267,15 @@ groups:
     text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"
     audit: "ps -fC $kubeletbin"
     tests:
+      bin_op: or
       test_items:
       - flag: "--rotate-certificates"
         compare:
           op: eq
           value: true
         set: true
+      - flag: "--rotate-certificates"
+        set: false
     remediation: |
       If using a Kubelet config file, edit the file to add the line rotateCertificates: true.
       If using command line arguments, edit the kubelet service file $kubeletsvc 
@@ -310,7 +316,7 @@ groups:
         set: true
     remediation: |
       If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
-      If using executable arguments, edit the kubelet service file $kubeletconf on each worker node and set the below parameter.
+      If using executable arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter.
       --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
     scored: false
 
@@ -453,8 +459,14 @@ groups:
 
     - id: 2.2.8
       text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
-      audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
-      type: manual
+      audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'"
+      tests:
+        test_items:
+          - flag: "root:root"
+            compare:
+              op: eq
+              value: root:root
+            set: true
       remediation: |
         Run the following command to modify the ownership of the --client-ca-file .
         chown root:root <filename>

cfg/1.13-json/config.yaml

@@ -0,0 +1,16 @@
+---
+# Config file for systems such as EKS where config is in JSON files
+# Master nodes are controlled by EKS and not user-accessible
+node:
+  kubernetes:
+    confs:
+      - "/var/lib/kubelet/kubeconfig"
+    kubeconfig:
+      - "/var/lib/kubelet/kubeconfig"
+
+  kubelet:
+    defaultsvc: "/etc/systemd/system/kubelet.service"
+    defaultkubeconfig: "/var/lib/kubelet/kubeconfig"
+
+  proxy:
+    defaultkubeconfig: "/var/lib/kubelet/kubeconfig"

cfg/1.13-json/node.yaml

@@ -0,0 +1,504 @@
+---
+controls:
+version: 1.13
+id: 2
+text: "Worker Node Security Configuration"
+type: "node"
+groups:
+- id: 2.1
+  text: "Kubelet"
+  checks:
+  - id: 2.1.1
+    text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
+    audit: "cat $kubeletconf"
+    tests:
+      test_items:
+      - path: "{.authentication.anonymous.enabled}"
+        compare:
+          op: eq
+          value: false
+        set: true
+    remediation: |
+      If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
+      false .
+      If using executable arguments, edit the kubelet service file
+      $kubeletsvc on each worker node and
+      set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+      --anonymous-auth=false
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
+    scored: true
+
+  - id: 2.1.2
+    text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
+    audit: "cat $kubeletconf"
+    tests:
+      test_items:
+      - path: "{.authorization.mode}"
+        compare:
+          op: nothave
+          value: "AlwaysAllow"
+        set: true
+    remediation: |
+      If using a Kubelet config file, edit the file to set authorization: mode to Webhook.
+      If using executable arguments, edit the kubelet service file
+      $kubeletsvc on each worker node and
+      set the below parameter in KUBELET_AUTHZ_ARGS variable.
+      --authorization-mode=Webhook
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
+    scored: true
+
+  - id: 2.1.3
+    text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
+    audit: "cat $kubeletconf"
+    tests:
+      test_items:
+      - path: "{.authentication.x509.clientCAFile}"
+        set: true
+    remediation: |
+      If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
+      the location of the client CA file.
+      If using command line arguments, edit the kubelet service file
+      $kubeletsvc on each worker node and
+      set the below parameter in KUBELET_AUTHZ_ARGS variable.
+      --client-ca-file=<path/to/client-ca-file>
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
+    scored: true
+
+  - id: 2.1.4
+    text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
+    audit: "cat $kubeletconf"
+    tests:
+      test_items:
+      - path: "{.readOnlyPort}"
+        compare:
+          op: eq
+          value: 0
+        set: true
+    remediation: |
+      If using a Kubelet config file, edit the file to set readOnlyPort to 0 .
+      If using command line arguments, edit the kubelet service file
+      $kubeletsvc on each worker node and
+      set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+      --read-only-port=0
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
+    scored: true
+
+  - id: 2.1.5
+    text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
+    audit: "cat $kubeletconf"
+    tests:
+      bin_op: or
+      test_items:
+      - path: "{.streamingConnectionIdleTimeout}"
+        compare:
+          op: noteq
+          value: 0
+        set: true
+      - path: "{.streamingConnectionIdleTimeout}"
+        set: false
+    remediation: |
+      If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
+      value other than 0.
+      If using command line arguments, edit the kubelet service file
+      $kubeletsvc on each worker node and
+      set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+      --streaming-connection-idle-timeout=5m
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
+    scored: true
+
+  - id: 2.1.6
+    text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
+    audit: "cat $kubeletconf"
+    tests:
+      test_items:
+      - path: "{.protectKernelDefaults}"
+        compare:
+          op: eq
+          value: true
+        set: true
+    remediation: |
+      If using a Kubelet config file, edit the file to set protectKernelDefaults: true .
+      If using command line arguments, edit the kubelet service file
+      $kubeletsvc on each worker node and
+      set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+      --protect-kernel-defaults=true
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
+    scored: true
+
+  - id: 2.1.7
+    text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
+    audit: "cat $kubeletconf"
+    tests:
+      bin_op: or
+      test_items:
+      - path: "{.makeIPTablesUtilChains}"
+        compare:
+          op: eq
+          value: true
+        set: true
+      - path: "{.makeIPTablesUtilChains}"
+        set: false
+    remediation: |
+      If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true .
+      If using command line arguments, edit the kubelet service file
+      $kubeletsvc on each worker node and
+      remove the --make-iptables-util-chains argument from the
+      KUBELET_SYSTEM_PODS_ARGS variable.
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
+    scored: true
+
+  - id: 2.1.8
+    text: "Ensure that the --hostname-override argument is not set (Scored)"
+    # This is one of those properties that can only be set as a command line argument. 
+    # To check if the property is set as expected, we need to parse the kubelet command 
+    # instead reading the Kubelet Configuration file.
+    audit: "ps -fC $kubeletbin"
+    tests:
+      test_items:
+      - flag: "--hostname-override"
+        set: false
+    remediation: |
+      Edit the kubelet service file $kubeletsvc
+      on each worker node and remove the --hostname-override argument from the
+      KUBELET_SYSTEM_PODS_ARGS variable.
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
+    scored: true
+
+  - id: 2.1.9
+    text: "Ensure that the --event-qps argument is set to 0 (Scored)"
+    audit: "cat $kubeletconf"
+    tests:
+      test_items:
+      - path: "{.eventRecordQPS}"
+        compare:
+          op: eq
+          value: 0
+        set: true
+    remediation: |
+      If using a Kubelet config file, edit the file to set eventRecordQPS: 0 .
+      If using command line arguments, edit the kubelet service file
+      $kubeletsvc on each worker node and
+      set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+      --event-qps=0
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
+    scored: true
+
+  - id: 2.1.10
+    text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
+    audit: "cat $kubeletconf"
+    tests:
+      bin_op: and
+      test_items:
+      - path: "{.tlsCertFile}"
+        set: true
+      - path: "{.tlsPrivateKeyFile}"
+        set: true
+    remediation: |
+      If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate
+      file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the
+      corresponding private key file.
+      If using command line arguments, edit the kubelet service file
+      $kubeletsvc on each worker node and
+      set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
+      --tls-cert-file=<path/to/tls-certificate-file>
+      file=<path/to/tls-key-file>
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
+    scored: true
+
+  - id: 2.1.11
+    text: "[DEPRECATED] Ensure that the --cadvisor-port argument is set to 0"
+    # This is one of those properties that can only be set as a command line argument. 
+    # To check if the property is set as expected, we need to parse the kubelet command 
+    # instead reading the Kubelet Configuration file.
+    audit: "ps -fC $kubeletbin"
+    type: skip
+    tests:
+      bin_op: or
+      test_items:
+      - flag: "--cadvisor-port"
+        compare:
+          op: eq
+          value: 0
+        set: true
+      - flag: "--cadvisor-port"
+        set: false
+    remediation: |
+      Edit the kubelet service file $kubeletsvc
+      on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
+      --cadvisor-port=0
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
+    scored: false
+
+  - id: 2.1.12
+    text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"
+    audit: "cat $kubeletconf"
+    tests:
+      test_items:
+      - path: "{.rotateCertificates}"
+        compare:
+          op: eq
+          value: true
+        set: true
+    remediation: |
+      If using a Kubelet config file, edit the file to add the line rotateCertificates: true.
+      If using command line arguments, edit the kubelet service file $kubeletsvc 
+      on each worker node and add --rotate-certificates=true argument to the KUBELET_CERTIFICATE_ARGS variable.
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
+    scored: true
+
+  - id: 2.1.13
+    text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
+    audit: "cat $kubeletconf"
+    tests:
+      test_items:
+      - path: "{.featureGates.RotateKubeletServerCertificate}"
+        compare:
+          op: eq
+          value: true
+        set: true
+    remediation: |
+      Edit the kubelet service file $kubeletsvc
+      on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
+      --feature-gates=RotateKubeletServerCertificate=true
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
+    scored: true
+
+  - id: 2.1.14
+    text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)"
+    audit: "cat $kubeletconf"
+    tests:
+      test_items:
+      - path: "{range .tlsCipherSuites[:]}{}{','}{end}"
+        compare:
+          op: valid_elements
+          value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
+        set: true
+    remediation: |
+      If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
+      If using executable arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter.
+      --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
+    scored: false
+
+- id: 2.2
+  text: "Configuration Files"
+  checks:
+    - id: 2.2.1
+      text: "Ensure that the kubelet.conf file permissions are set to 644 or
+      more restrictive (Scored)"
+      audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'"
+      tests:
+        bin_op: or
+        test_items:
+          - flag: "644"
+            compare:
+              op: eq
+              value: "644"
+            set: true
+          - flag: "640"
+            compare:
+              op: eq
+              value: "640"
+            set: true
+          - flag: "600"
+            compare:
+              op: eq
+              value: "600"
+            set: true
+      remediation: |
+        Run the below command (based on the file location on your system) on the each worker
+        node. For example,
+        chmod 644 $kubeletkubeconfig
+      scored: true
+
+    - id: 2.2.2
+      text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
+      audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'"
+      tests:
+        test_items:
+          - flag: "root:root"
+            compare:
+              op: eq
+              value: root:root
+            set: true
+      remediation: |
+        Run the below command (based on the file location on your system) on the each worker
+        node. For example,
+        chown root:root $kubeletkubeconfig
+      scored: true
+
+    - id: 2.2.3
+      text: "Ensure that the kubelet service file permissions are set to 644 or
+      more restrictive (Scored)"
+      audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'"
+      tests:
+        bin_op: or
+        test_items:
+        - flag: "644"
+          compare:
+            op: eq
+            value: 644
+          set: true
+        - flag: "640"
+          compare:
+            op: eq
+            value: "640"
+          set: true
+        - flag: "600"
+          compare:
+            op: eq
+            value: "600"
+          set: true
+      remediation: |
+        Run the below command (based on the file location on your system) on the each worker
+        node. For example,
+        chmod 755 $kubeletsvc
+      scored: true
+
+    - id: 2.2.4
+      text: "Ensure that the kubelet service file ownership is set to root:root (Scored)"
+      audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'"
+      tests:
+        test_items:
+        - flag: "root:root"
+          set: true
+      remediation: |
+        Run the below command (based on the file location on your system) on the each worker
+        node. For example,
+        chown root:root $kubeletsvc
+      scored: true
+
+    - id: 2.2.5
+      text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
+      audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'"
+      tests:
+        bin_op: or
+        test_items:
+        - flag: "644"
+          compare:
+            op: eq
+            value: "644"
+          set: true
+        - flag: "640"
+          compare:
+            op: eq
+            value: "640"
+          set: true
+        - flag: "600"
+          compare:
+            op: eq
+            value: "600"
+          set: true
+      remediation: |
+        Run the below command (based on the file location on your system) on the each worker
+        node. For example,
+        chmod 644 $proxykubeconfig
+
+        Note - This test reports "FAIL" if kube-proxy has been configured
+        using a kubernetes configMap. Only under this situation, the "FAIL" can safely be ignored 
+        as the kube-proxy does not expose the kubeconfig file to the worker node.
+      scored: true
+
+    - id: 2.2.6
+      text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
+      audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'"
+      tests:
+        test_items:
+        - flag: "root:root"
+          set: true
+      remediation: |
+          Run the below command (based on the file location on your system) on the each worker
+          node. For example,
+          chown root:root $proxykubeconfig
+          
+          Note - This test reports "FAIL" if kube-proxy has been configured
+          using a kubernetes configMap. Only under this situation, the "FAIL" can safely be ignored 
+          as the kube-proxy does not expose the kubeconfig file to the worker node.
+      scored: true
+
+    - id: 2.2.7
+      text: "Ensure that the certificate authorities file permissions are set to
+      644 or more restrictive (Scored)"
+      type: manual
+      remediation: |
+        Run the following command to modify the file permissions of the --client-ca-file
+        chmod 644 <filename>
+      scored: true
+
+    - id: 2.2.8
+      text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
+      audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'"
+      tests:
+        test_items:
+          - flag: "root:root"
+            compare:
+              op: eq
+              value: root:root
+            set: true
+      remediation: |
+        Run the following command to modify the ownership of the --client-ca-file .
+        chown root:root <filename>
+      scored: true
+
+    - id: 2.2.9
+      text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)"
+      audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
+      tests:
+        test_items:
+        - flag: "root:root"
+          set: true
+      remediation: |
+        Run the following command (using the config file location identied in the Audit step)
+        chown root:root $kubeletconf
+      scored: true
+
+    - id: 2.2.10
+      text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
+      audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
+      tests:
+        bin_op: or
+        test_items:
+        - flag: "644"
+          compare:
+            op: eq
+            value: "644"
+          set: true
+        - flag: "640"
+          compare:
+            op: eq
+            value: "640"
+          set: true
+        - flag: "600"
+          compare:
+            op: eq
+            value: "600"
+          set: true
+      remediation: |
+        Run the following command (using the config file location identied in the Audit step)
+        chmod 644 $kubeletconf
+      scored: true

cfg/1.13/master.yaml

@@ -153,12 +153,15 @@ groups:
     text: "Ensure that the admission control plugin AlwaysAdmit is not set (Scored)"
     audit: "ps -ef | grep $apiserverbin | grep -v grep"
     tests:
+      bin_op: or
       test_items:
       - flag: "--enable-admission-plugins"
         compare:
           op: nothave
           value: AlwaysAdmit
         set: true
+      - flag: "--enable-admission-plugins"
+        set: false
     remediation: |
       Edit the API server pod specification file $apiserverconf
       on the master node and set the --enable-admission-plugins parameter to a
@@ -183,8 +186,9 @@ groups:
     scored: true
 
   - id: 1.1.12
-    text: "Ensure that the admission control plugin DenyEscalatingExec is set (Scored)"
+    text: "[DEPRECATED] Ensure that the admission control plugin DenyEscalatingExec is set (Not Scored)"
     audit: "ps -ef | grep $apiserverbin | grep -v grep"
+    type: skip
     tests:
       test_items:
       - flag: "--enable-admission-plugins"
@@ -197,10 +201,10 @@ groups:
       on the master node and set the --enable-admission-plugins parameter to a
       value that includes DenyEscalatingExec.
       --enable-admission-plugins=...,DenyEscalatingExec,...
-    scored: true
+    scored: false
 
   - id: 1.1.13
-    text: "Ensure that the admission control plugin SecurityContextDeny is set (Scored)"
+    text: "Ensure that the admission control plugin SecurityContextDeny is set (Not Scored)"
     audit: "ps -ef | grep $apiserverbin | grep -v grep"
     tests:
       test_items:
@@ -441,12 +445,15 @@ groups:
     text: "Ensure that the admission control plugin ServiceAccount is set(Scored)"
     audit: "ps -ef | grep $apiserverbin | grep -v grep"
     tests:
+      bin_op: or
       test_items:
       - flag: "--enable-admission-plugins"
         compare:
           op: has
           value: "ServiceAccount"
         set: true
+      - flag: "--enable-admission-plugins"
+        set: false
     remediation: |
       Follow the documentation and create ServiceAccount objects as per your environment.
       Then, edit the API server pod specification file $apiserverconf
@@ -556,19 +563,19 @@ groups:
     scored: true
 
   - id: 1.1.34
-    text: "Ensure that the --experimental-encryption-provider-config argument is
-    set as appropriate (Scored)"
+    text: "Ensure that the --encryption-provider-config argument is set as appropriate (Scored)"
     audit: "ps -ef | grep $apiserverbin | grep -v grep"
+    type: "manual"
     tests:
       test_items:
-      - flag: "--experimental-encryption-provider-config"
+      - flag: "--encryption-provider-config"
         set: true
     remediation: |
       Follow the Kubernetes documentation and configure a EncryptionConfig file.
       Then, edit the API server pod specification file $apiserverconf on the
-      master node and set the --experimental-encryption-provider-config parameter
+      master node and set the --encryption-provider-config parameter
       to the path of that file:
-      --experimental-encryption-provider-config=</path/to/EncryptionConfig/File>
+      --encryption-provider-config=</path/to/EncryptionConfig/File>
     scored: true
 
   - id: 1.1.35
@@ -1219,7 +1226,7 @@ groups:
     scored: true
     
   - id: 1.4.21
-    text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Scored)"
+    text: "Ensure that the Kubernetes PKI key file permissions are set to 600 or more restrictive (Scored)"
     audit: "stat -c %n\ %a /etc/kubernetes/pki/*.key"
     type: "manual"
     tests:
@@ -1292,7 +1299,6 @@ groups:
     text: "Ensure that the --peer-cert-file and --peer-key-file arguments are
     set as appropriate (Scored)"
     audit: "ps -ef | grep $etcdbin | grep -v grep"
-    type: "manual"
     tests:
       bin_op: and
       test_items:
@@ -1311,7 +1317,6 @@ groups:
   - id: 1.5.5
     text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)"
     audit: "ps -ef | grep $etcdbin | grep -v grep"
-    type: "manual"
     tests:
       test_items:
       - flag: "--peer-client-cert-auth"
@@ -1328,7 +1333,6 @@ groups:
   - id: 1.5.6
     text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)"
     audit: "ps -ef | grep $etcdbin | grep -v grep"
-    type: "manual"
     tests:
       bin_op: or
       test_items:

cfg/1.13/node.yaml

@@ -22,7 +22,7 @@ groups:
       If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
       false .
       If using executable arguments, edit the kubelet service file
-      $kubeletconf on each worker node and
+      $kubeletsvc on each worker node and
       set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
       --anonymous-auth=false
       Based on your system, restart the kubelet service. For example:
@@ -95,12 +95,15 @@ groups:
     text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
     audit: "ps -fC $kubeletbin"
     tests:
+      bin_op: or
       test_items:
       - flag: "--streaming-connection-idle-timeout"
         compare:
           op: noteq
           value: 0
         set: true
+      - flag: "--streaming-connection-idle-timeout"
+        set: false
     remediation: |
       If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
       value other than 0.
@@ -220,8 +223,9 @@ groups:
     scored: true
 
   - id: 2.1.11
-    text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
+    text: "[DEPRECATED] Ensure that the --cadvisor-port argument is set to 0 (Not Scored)"
     audit: "ps -fC $kubeletbin"
+    type: skip
     tests:
       bin_op: or
       test_items:
@@ -239,18 +243,21 @@ groups:
       Based on your system, restart the kubelet service. For example:
       systemctl daemon-reload
       systemctl restart kubelet.service
-    scored: true
+    scored: false
 
   - id: 2.1.12
     text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"
     audit: "ps -fC $kubeletbin"
     tests:
+      bin_op: or
       test_items:
       - flag: "--rotate-certificates"
         compare:
           op: eq
           value: true
         set: true
+      - flag: "--rotate-certificates"
+        set: false
     remediation: |
       If using a Kubelet config file, edit the file to add the line rotateCertificates: true.
       If using command line arguments, edit the kubelet service file $kubeletsvc 
@@ -291,7 +298,7 @@ groups:
         set: true
     remediation: |
       If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
-      If using executable arguments, edit the kubelet service file $kubeletconf on each worker node and set the below parameter.
+      If using executable arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter.
       --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
     scored: false
 
@@ -434,8 +441,14 @@ groups:
 
     - id: 2.2.8
       text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
-      audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
-      type: manual
+      audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'"
+      tests:
+        test_items:
+          - flag: "root:root"
+            compare:
+              op: eq
+              value: root:root
+            set: true
       remediation: |
         Run the following command to modify the ownership of the --client-ca-file .
         chown root:root <filename>

cfg/1.6/node.yaml

@@ -83,7 +83,7 @@ groups:
         test_items:
           - flag: "--streaming-connection-idle-timeout"
             compare:
-              op: gt
+              op: noteq
               value: 0
             set: true
       remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS 

cfg/1.8/node.yaml

@@ -430,9 +430,15 @@ groups:
       scored: true
 
     - id: 2.2.8
-      text: "Ensure that the client certificate authorities file ownership is set to root:root"
-      audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
-      type: manual
+      text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
+      audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'"
+      tests:
+        test_items:
+          - flag: "root:root"
+            compare:
+              op: eq
+              value: root:root
+            set: true
       remediation: |
         Run the following command to modify the ownership of the --client-ca-file .
         chown root:root <filename>

cfg/config.yaml

@@ -1,5 +1,5 @@
 ---
-## Controls Files. 
+## Controls Files.
 # These are YAML files that hold all the details for running checks.
 #
 ## Uncomment to use different control file paths.
@@ -12,7 +12,7 @@ master:
     - apiserver
     - scheduler
     - controllermanager
-    - etcd 
+    - etcd
     - flanneld
     # kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the benchmark
     - kubernetes
@@ -78,28 +78,57 @@ node:
     - kubernetes
 
   kubernetes:
-    defaultconf: /etc/kubernetes/config    
+    defaultconf: "/etc/kubernetes/config"
 
   kubelet:
+    cafile:
+      - "/etc/kubernetes/pki/ca.crt"
+      - "/etc/kubernetes/certs/ca.crt"
+      - "/etc/kubernetes/cert/ca.pem"
+    svc: 
+      # These paths must also be included
+      #  in the 'confs' property below
+      - "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
+      - "/etc/systemd/system/kubelet.service"
+      - "/lib/systemd/system/kubelet.service"
     bins:
       - "hyperkube kubelet"
       - "kubelet"
+    kubeconfig:
+      - "/etc/kubernetes/kubelet.conf"
+      - "/var/lib/kubelet/kubeconfig"
+      - "/etc/kubernetes/kubelet-kubeconfig"
     confs:
       - "/var/lib/kubelet/config.yaml"
       - "/etc/kubernetes/kubelet/kubelet-config.json"
       - "/home/kubernetes/kubelet-config.yaml"
+      - "/etc/default/kubelet"
+      ## Due to the fact that the kubelet might be configured
+      ## without a kubelet-config file, we use a work-around
+      ## of pointing to the systemd service file (which can also
+      ## hold kubelet configuration).
+      ## Note: The following paths must match the one under 'svc'
+      - "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
+      - "/etc/systemd/system/kubelet.service"
+      - "/lib/systemd/system/kubelet.service"
     defaultconf: "/var/lib/kubelet/config.yaml"
     defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
     defaultkubeconfig: "/etc/kubernetes/kubelet.conf"
+    defaultcafile: "/etc/kubernetes/pki/ca.crt"
 
   proxy:
     bins:
       - "kube-proxy"
       - "hyperkube proxy"
+      - "hyperkube kube-proxy"
       - "proxy"
     confs:
       - /etc/kubernetes/proxy
       - /etc/kubernetes/addons/kube-proxy-daemonset.yaml
+    kubeconfig:
+      - /etc/kubernetes/kubelet-kubeconfig
+    svc:
+      - "/lib/systemd/system/kube-proxy.service"
     defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml
     defaultkubeconfig: "/etc/kubernetes/proxy.conf"
 

cfg/ocp-3.10/federated.yaml

@@ -1,113 +0,0 @@
----
-controls:
-id: 3
-text: "Federated Deployments"
-type: "federated"
-groups:
-- id: 3.1
-  text: "Federated API Server"
-  checks:
-  - id: 3.1.1
-    text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.2
-    text: "Ensure that the --basic-auth-file argument is not set (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.3
-    text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.4
-    text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.5
-    text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.6
-    text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.7
-    text: "Ensure that the --profiling argument is set to false (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.8
-    text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.9
-    text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.10
-    text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.11
-    text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.12
-    text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.13
-    text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.14
-    text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.15
-    text: "Ensure that the --token-auth-file parameter is not set (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.16
-    text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.17
-    text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.18
-    text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.19
-    text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
-    type: "skip"
-    scored: true
-
-
-- id: 3.2
-  text: "Federation Controller Manager"
-  checks:
-  - id: 3.2.1
-    text: "Ensure that the --profiling argument is set to false (Scored)"
-    type: "skip"
-    scored: true
-

cfg/ocp-3.11/federated.yaml

@@ -1,113 +0,0 @@
----
-controls:
-id: 3
-text: "Federated Deployments"
-type: "federated"
-groups:
-- id: 3.1
-  text: "Federated API Server"
-  checks:
-  - id: 3.1.1
-    text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.2
-    text: "Ensure that the --basic-auth-file argument is not set (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.3
-    text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.4
-    text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.5
-    text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.6
-    text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.7
-    text: "Ensure that the --profiling argument is set to false (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.8
-    text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.9
-    text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.10
-    text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.11
-    text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.12
-    text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.13
-    text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.14
-    text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.15
-    text: "Ensure that the --token-auth-file parameter is not set (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.16
-    text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.17
-    text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.18
-    text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 3.1.19
-    text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
-    type: "skip"
-    scored: true
-
-
-- id: 3.2
-  text: "Federation Controller Manager"
-  checks:
-  - id: 3.2.1
-    text: "Ensure that the --profiling argument is set to false (Scored)"
-    type: "skip"
-    scored: true
-

check/check.go

@@ -60,18 +60,18 @@ func handleError(err error, context string) (errmsg string) {
 // Check contains information about a recommendation in the
 // CIS Kubernetes 1.6+ document.
 type Check struct {
-	ID          string      `yaml:"id" json:"test_number"`
-	Text        string      `json:"test_desc"`
-	Audit       string      `json:"audit"`
-	Type        string      `json:"type"`
-	Commands    []*exec.Cmd `json:"omit"`
-	Tests       *tests      `json:"omit"`
-	Set         bool        `json:"omit"`
-	Remediation string      `json:"remediation"`
-	TestInfo    []string    `json:"test_info"`
-	State       `json:"status"`
-	ActualValue string `json:"actual_value"`
-	Scored      bool   `json:"scored"`
+	ID             string      `yaml:"id" json:"test_number"`
+	Text           string      `json:"test_desc"`
+	Audit          string      `json:"audit"`
+	Type           string      `json:"type"`
+	Commands       []*exec.Cmd `json:"omit"`
+	Tests          *tests      `json:"omit"`
+	Set            bool        `json:"omit"`
+	Remediation    string      `json:"remediation"`
+	TestInfo       []string    `json:"test_info"`
+	State          `json:"status"`
+	ActualValue    string `json:"actual_value"`
+	Scored         bool   `json:"scored"`
 	ExpectedResult string `json:"expected_result"`
 }
 
@@ -102,8 +102,8 @@ func (c *Check) run() State {
 		return c.State
 	}
 
-	// If check type is manual or the check is not scored, force result to WARN
-	if c.Type == "manual" || !c.Scored {
+	// If check type is manual force result to WARN
+	if c.Type == "manual" {
 		c.State = WARN
 		return c.State
 	}
@@ -193,7 +193,11 @@ func (c *Check) run() State {
 		if finalOutput.testResult {
 			c.State = PASS
 		} else {
-			c.State = FAIL
+			if c.Scored {
+				c.State = FAIL
+			} else {
+				c.State = WARN
+			}
 		}
 	} else {
 		errmsgs += handleError(

check/test.go

@@ -37,8 +37,9 @@ import (
 type binOp string
 
 const (
-	and binOp = "and"
-	or        = "or"
+	and                   binOp = "and"
+	or                          = "or"
+	defaultArraySeparator       = ","
 )
 
 type testItem struct {
@@ -56,8 +57,8 @@ type compare struct {
 }
 
 type testOutput struct {
-	testResult   bool
-	actualResult string
+	testResult     bool
+	actualResult   string
 	ExpectedResult string
 }
 
@@ -76,36 +77,22 @@ func (t *testItem) execute(s string) *testOutput {
 	} else {
 		// Path != "" - we don't know whether it's YAML or JSON but
 		// we can just try one then the other
-		buf := new(bytes.Buffer)
 		var jsonInterface interface{}
 
 		if t.Path != "" {
-			err := json.Unmarshal([]byte(s), &jsonInterface)
+			err := unmarshal(s, &jsonInterface)
 			if err != nil {
-				err := yaml.Unmarshal([]byte(s), &jsonInterface)
-				if err != nil {
-					fmt.Fprintf(os.Stderr, "failed to load YAML or JSON from provided input \"%s\": %v\n", s, err)
-					return failTestItem("failed to load YAML or JSON")
-				}
+				fmt.Fprintf(os.Stderr, "failed to load YAML or JSON from provided input \"%s\": %v\n", s, err)
+				return failTestItem("failed to load YAML or JSON")
 			}
+
 		}
 
-		// Parse the jsonpath/yamlpath expression...
-		j := jsonpath.New("jsonpath")
-		j.AllowMissingKeys(true)
-		err := j.Parse(t.Path)
+		jsonpathResult, err := executeJSONPath(t.Path, &jsonInterface)
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "unable to parse path expression \"%s\": %v\n", t.Path, err)
-			return failTestItem("unable to parse path expression")
-		}
-
-		err = j.Execute(buf, jsonInterface)
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "error executing path expression \"%s\": %v\n", t.Path, err)
 			return failTestItem("error executing path expression")
 		}
-
-		jsonpathResult := fmt.Sprintf("%s", buf)
 		match = (jsonpathResult != "")
 		flagVal = jsonpathResult
 	}
@@ -136,63 +123,7 @@ func (t *testItem) execute(s string) *testOutput {
 				}
 			}
 
-			expectedResultPattern := ""
-			switch t.Compare.Op {
-			case "eq":
-				expectedResultPattern = "'%s' is equal to '%s'"
-				value := strings.ToLower(flagVal)
-				// Do case insensitive comparaison for booleans ...
-				if value == "false" || value == "true" {
-					result.testResult = value == t.Compare.Value
-				} else {
-					result.testResult = flagVal == t.Compare.Value
-				}
-
-			case "noteq":
-				expectedResultPattern = "'%s' is not equal to '%s'"
-				value := strings.ToLower(flagVal)
-				// Do case insensitive comparaison for booleans ...
-				if value == "false" || value == "true" {
-					result.testResult = !(value == t.Compare.Value)
-				} else {
-					result.testResult = !(flagVal == t.Compare.Value)
-				}
-
-			case "gt":
-				expectedResultPattern = "%s is greater then %s"
-				a, b := toNumeric(flagVal, t.Compare.Value)
-				result.testResult = a > b
-
-			case "gte":
-				expectedResultPattern = "%s is greater or equal to %s"
-				a, b := toNumeric(flagVal, t.Compare.Value)
-				result.testResult = a >= b
-
-			case "lt":
-				expectedResultPattern = "%s is lower then %s"
-				a, b := toNumeric(flagVal, t.Compare.Value)
-				result.testResult = a < b
-
-			case "lte":
-				expectedResultPattern = "%s is lower or equal to %s"
-				a, b := toNumeric(flagVal, t.Compare.Value)
-				result.testResult = a <= b
-
-			case "has":
-				expectedResultPattern = "'%s' has '%s'"
-				result.testResult = strings.Contains(flagVal, t.Compare.Value)
-
-			case "nothave":
-				expectedResultPattern = " '%s' not have '%s'"
-				result.testResult = !strings.Contains(flagVal, t.Compare.Value)
-
-			case "regex":
-				expectedResultPattern = " '%s' matched by '%s'"
-				opRe := regexp.MustCompile(t.Compare.Value)
-				result.testResult = opRe.MatchString(flagVal)
-			}
-
-			result.ExpectedResult = fmt.Sprintf(expectedResultPattern, t.Flag, t.Compare.Value)
+			result.ExpectedResult, result.testResult = compareOp(t.Compare.Op, flagVal, t.Compare.Value)
 		} else {
 			result.ExpectedResult = fmt.Sprintf("'%s' is present", t.Flag)
 			result.testResult = isset
@@ -205,6 +136,153 @@ func (t *testItem) execute(s string) *testOutput {
 	return result
 }
 
+func compareOp(tCompareOp string, flagVal string, tCompareValue string) (string, bool) {
+
+	expectedResultPattern := ""
+	testResult := false
+
+	switch tCompareOp {
+	case "eq":
+		expectedResultPattern = "'%s' is equal to '%s'"
+		value := strings.ToLower(flagVal)
+		// Do case insensitive comparaison for booleans ...
+		if value == "false" || value == "true" {
+			testResult = value == tCompareValue
+		} else {
+			testResult = flagVal == tCompareValue
+		}
+
+	case "noteq":
+		expectedResultPattern = "'%s' is not equal to '%s'"
+		value := strings.ToLower(flagVal)
+		// Do case insensitive comparaison for booleans ...
+		if value == "false" || value == "true" {
+			testResult = !(value == tCompareValue)
+		} else {
+			testResult = !(flagVal == tCompareValue)
+		}
+
+	case "gt":
+		expectedResultPattern = "%s is greater than %s"
+		a, b := toNumeric(flagVal, tCompareValue)
+		testResult = a > b
+
+	case "gte":
+		expectedResultPattern = "%s is greater or equal to %s"
+		a, b := toNumeric(flagVal, tCompareValue)
+		testResult = a >= b
+
+	case "lt":
+		expectedResultPattern = "%s is lower than %s"
+		a, b := toNumeric(flagVal, tCompareValue)
+		testResult = a < b
+
+	case "lte":
+		expectedResultPattern = "%s is lower or equal to %s"
+		a, b := toNumeric(flagVal, tCompareValue)
+		testResult = a <= b
+
+	case "has":
+		expectedResultPattern = "'%s' has '%s'"
+		testResult = strings.Contains(flagVal, tCompareValue)
+
+	case "nothave":
+		expectedResultPattern = " '%s' not have '%s'"
+		testResult = !strings.Contains(flagVal, tCompareValue)
+
+	case "regex":
+		expectedResultPattern = " '%s' matched by '%s'"
+		opRe := regexp.MustCompile(tCompareValue)
+		testResult = opRe.MatchString(flagVal)
+
+	case "valid_elements":
+		expectedResultPattern = "'%s' contains valid elements from '%s'"
+		s := splitAndRemoveLastSeparator(flagVal, defaultArraySeparator)
+		target := splitAndRemoveLastSeparator(tCompareValue, defaultArraySeparator)
+		testResult = allElementsValid(s, target)
+
+	}
+
+	if expectedResultPattern == "" {
+		return expectedResultPattern, testResult
+	}
+
+	return fmt.Sprintf(expectedResultPattern, flagVal, tCompareValue), testResult
+}
+
+func unmarshal(s string, jsonInterface *interface{}) error {
+	data := []byte(s)
+	err := json.Unmarshal(data, jsonInterface)
+	if err != nil {
+		err := yaml.Unmarshal(data, jsonInterface)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func executeJSONPath(path string, jsonInterface interface{}) (string, error) {
+	j := jsonpath.New("jsonpath")
+	j.AllowMissingKeys(true)
+	err := j.Parse(path)
+	if err != nil {
+		return "", err
+	}
+
+	buf := new(bytes.Buffer)
+	err = j.Execute(buf, jsonInterface)
+	if err != nil {
+		return "", err
+	}
+	jsonpathResult := fmt.Sprintf("%s", buf)
+	return jsonpathResult, nil
+}
+
+func allElementsValid(s, t []string) bool {
+	sourceEmpty := s == nil || len(s) == 0
+	targetEmpty := t == nil || len(t) == 0
+
+	if sourceEmpty && targetEmpty {
+		return true
+	}
+
+	// XOR comparison -
+	//     if either value is empty and the other is not empty,
+	//     not all elements are valid
+	if (sourceEmpty || targetEmpty) && !(sourceEmpty && targetEmpty) {
+		return false
+	}
+
+	for _, sv := range s {
+		found := false
+		for _, tv := range t {
+			if sv == tv {
+				found = true
+				break
+			}
+		}
+		if !found {
+			return false
+		}
+	}
+	return true
+}
+
+func splitAndRemoveLastSeparator(s, sep string) []string {
+	cleanS := strings.TrimRight(strings.TrimSpace(s), sep)
+	if len(cleanS) == 0 {
+		return []string{}
+	}
+
+	ts := strings.Split(cleanS, sep)
+	for i := range ts {
+		ts[i] = strings.TrimSpace(ts[i])
+	}
+
+	return ts
+}
+
 type tests struct {
 	TestItems []*testItem `yaml:"test_items"`
 	BinOp     binOp       `yaml:"bin_op"`

check/test_test.go

@@ -201,3 +201,458 @@ func TestTestExecuteExceptions(t *testing.T) {
 		}
 	}
 }
+
+func TestTestUnmarshal(t *testing.T) {
+	type kubeletConfig struct {
+		Kind       string
+		ApiVersion string
+		Address    string
+	}
+	cases := []struct {
+		content        string
+		jsonInterface  interface{}
+		expectedToFail bool
+	}{
+		{
+			`{
+			"kind": "KubeletConfiguration",
+			"apiVersion": "kubelet.config.k8s.io/v1beta1",
+			"address": "0.0.0.0"
+			}
+			`,
+			kubeletConfig{},
+			false,
+		}, {
+			`
+kind: KubeletConfiguration
+address: 0.0.0.0
+apiVersion: kubelet.config.k8s.io/v1beta1
+authentication:
+  anonymous:
+    enabled: false
+  webhook:
+    cacheTTL: 2m0s
+  enabled: true
+  x509:
+    clientCAFile: /etc/kubernetes/pki/ca.crt
+tlsCipherSuites:
+  - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+`,
+			kubeletConfig{},
+			false,
+		},
+		{
+			`
+kind: ddress: 0.0.0.0
+apiVersion: kubelet.config.k8s.io/v1beta
+`,
+			kubeletConfig{},
+			true,
+		},
+	}
+
+	for _, c := range cases {
+		err := unmarshal(c.content, &c.jsonInterface)
+		if err != nil {
+			if !c.expectedToFail {
+				t.Errorf("%s, expectedToFail:%v, got:%v\n", c.content, c.expectedToFail, err)
+			}
+		} else {
+			if c.expectedToFail {
+				t.Errorf("%s, expectedToFail:%v, got:Did not fail\n", c.content, c.expectedToFail)
+			}
+		}
+	}
+}
+
+func TestExecuteJSONPath(t *testing.T) {
+	type kubeletConfig struct {
+		Kind       string
+		ApiVersion string
+		Address    string
+	}
+	cases := []struct {
+		jsonPath       string
+		jsonInterface  kubeletConfig
+		expectedResult string
+		expectedToFail bool
+	}{
+		{
+			// JSONPath parse works, results don't match
+			"{.Kind}",
+			kubeletConfig{
+				Kind:       "KubeletConfiguration",
+				ApiVersion: "kubelet.config.k8s.io/v1beta1",
+				Address:    "127.0.0.0",
+			},
+			"blah",
+			true,
+		},
+		{
+			// JSONPath parse works, results match
+			"{.Kind}",
+			kubeletConfig{
+				Kind:       "KubeletConfiguration",
+				ApiVersion: "kubelet.config.k8s.io/v1beta1",
+				Address:    "127.0.0.0",
+			},
+			"KubeletConfiguration",
+			false,
+		},
+		{
+			// JSONPath parse fails
+			"{.ApiVersion",
+			kubeletConfig{
+				Kind:       "KubeletConfiguration",
+				ApiVersion: "kubelet.config.k8s.io/v1beta1",
+				Address:    "127.0.0.0",
+			},
+			"",
+			true,
+		},
+	}
+	for _, c := range cases {
+		result, err := executeJSONPath(c.jsonPath, c.jsonInterface)
+		if err != nil && !c.expectedToFail {
+			t.Fatalf("jsonPath:%q, expectedResult:%q got:%v\n", c.jsonPath, c.expectedResult, err)
+		}
+		if c.expectedResult != result && !c.expectedToFail {
+			t.Errorf("jsonPath:%q, expectedResult:%q got:%q\n", c.jsonPath, c.expectedResult, result)
+		}
+	}
+}
+
+func TestAllElementsValid(t *testing.T) {
+	cases := []struct {
+		source []string
+		target []string
+		valid  bool
+	}{
+		{
+			source: []string{},
+			target: []string{},
+			valid:  true,
+		},
+		{
+			source: []string{"blah"},
+			target: []string{},
+			valid:  false,
+		},
+		{
+			source: []string{},
+			target: []string{"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+				"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+				"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+				"TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256"},
+			valid: false,
+		},
+		{
+			source: []string{"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"},
+			target: []string{"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+				"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+				"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+				"TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256"},
+			valid: true,
+		},
+		{
+			source: []string{"blah"},
+			target: []string{"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+				"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+				"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+				"TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256"},
+			valid: false,
+		},
+		{
+			source: []string{"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "blah"},
+			target: []string{"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+				"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+				"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+				"TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256"},
+			valid: false,
+		},
+	}
+	for _, c := range cases {
+		if !allElementsValid(c.source, c.target) && c.valid {
+			t.Errorf("Not All Elements in %q are found in %q \n", c.source, c.target)
+		}
+	}
+}
+
+func TestSplitAndRemoveLastSeparator(t *testing.T) {
+	cases := []struct {
+		source     string
+		valid      bool
+		elementCnt int
+	}{
+		{
+			source:     "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256",
+			valid:      true,
+			elementCnt: 8,
+		},
+		{
+			source:     "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,",
+			valid:      true,
+			elementCnt: 2,
+		},
+		{
+			source:     "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,",
+			valid:      true,
+			elementCnt: 2,
+		},
+		{
+			source:     "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, ",
+			valid:      true,
+			elementCnt: 2,
+		},
+		{
+			source:     " TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,",
+			valid:      true,
+			elementCnt: 2,
+		},
+	}
+
+	for _, c := range cases {
+		as := splitAndRemoveLastSeparator(c.source, defaultArraySeparator)
+		if len(as) == 0 && c.valid {
+			t.Errorf("Split did not work with %q \n", c.source)
+		}
+
+		if c.elementCnt != len(as) {
+			t.Errorf("Split did not work with %q expected: %d got: %d\n", c.source, c.elementCnt, len(as))
+		}
+
+	}
+}
+
+func TestCompareOp(t *testing.T) {
+	cases := []struct {
+		label                 string
+		op                    string
+		flagVal               string
+		compareValue          string
+		expectedResultPattern string
+		testResult            bool
+	}{
+		// Test Op not matching
+		{label: "empty - op", op: "", flagVal: "", compareValue: "", expectedResultPattern: "", testResult: false},
+		{label: "op=blah", op: "blah", flagVal: "foo", compareValue: "bar", expectedResultPattern: "", testResult: false},
+
+		// Test Op "eq"
+		{label: "op=eq, both empty", op: "eq", flagVal: "", compareValue: "", expectedResultPattern: "'' is equal to ''", testResult: true},
+
+		{label: "op=eq, true==true", op: "eq", flagVal: "true",
+			compareValue:          "true",
+			expectedResultPattern: "'true' is equal to 'true'",
+			testResult:            true},
+
+		{label: "op=eq, false==false", op: "eq", flagVal: "false",
+			compareValue:          "false",
+			expectedResultPattern: "'false' is equal to 'false'",
+			testResult:            true},
+
+		{label: "op=eq, false==true", op: "eq", flagVal: "false",
+			compareValue:          "true",
+			expectedResultPattern: "'false' is equal to 'true'",
+			testResult:            false},
+
+		{label: "op=eq, strings match", op: "eq", flagVal: "KubeletConfiguration",
+			compareValue:          "KubeletConfiguration",
+			expectedResultPattern: "'KubeletConfiguration' is equal to 'KubeletConfiguration'",
+			testResult:            true},
+
+		{label: "op=eq, flagVal=empty", op: "eq", flagVal: "",
+			compareValue:          "KubeletConfiguration",
+			expectedResultPattern: "'' is equal to 'KubeletConfiguration'",
+			testResult:            false},
+
+		{label: "op=eq, compareValue=empty", op: "eq", flagVal: "KubeletConfiguration",
+			compareValue:          "",
+			expectedResultPattern: "'KubeletConfiguration' is equal to ''",
+			testResult:            false},
+
+		// Test Op "noteq"
+		{label: "op=noteq, both empty", op: "noteq", flagVal: "",
+			compareValue: "", expectedResultPattern: "'' is not equal to ''",
+			testResult: false},
+
+		{label: "op=noteq, true!=true", op: "noteq", flagVal: "true",
+			compareValue:          "true",
+			expectedResultPattern: "'true' is not equal to 'true'",
+			testResult:            false},
+
+		{label: "op=noteq, false!=false", op: "noteq", flagVal: "false",
+			compareValue:          "false",
+			expectedResultPattern: "'false' is not equal to 'false'",
+			testResult:            false},
+
+		{label: "op=noteq, false!=true", op: "noteq", flagVal: "false",
+			compareValue:          "true",
+			expectedResultPattern: "'false' is not equal to 'true'",
+			testResult:            true},
+
+		{label: "op=noteq, strings match", op: "noteq", flagVal: "KubeletConfiguration",
+			compareValue:          "KubeletConfiguration",
+			expectedResultPattern: "'KubeletConfiguration' is not equal to 'KubeletConfiguration'",
+			testResult:            false},
+
+		{label: "op=noteq, flagVal=empty", op: "noteq", flagVal: "",
+			compareValue:          "KubeletConfiguration",
+			expectedResultPattern: "'' is not equal to 'KubeletConfiguration'",
+			testResult:            true},
+
+		{label: "op=noteq, compareValue=empty", op: "noteq", flagVal: "KubeletConfiguration",
+			compareValue:          "",
+			expectedResultPattern: "'KubeletConfiguration' is not equal to ''",
+			testResult:            true},
+
+		// Test Op "gt"
+		// TODO: test for non-numeric values.
+		//        toNumeric function currently uses os.Exit, which stops tests.
+		// {label: "op=gt, both empty", op: "gt", flagVal: "",
+		// 	compareValue: "", expectedResultPattern: "'' is greater than ''",
+		// 	testResult: true},
+		{label: "op=gt, 0 > 0", op: "gt", flagVal: "0",
+			compareValue: "0", expectedResultPattern: "0 is greater than 0",
+			testResult: false},
+		{label: "op=gt, 4 > 5", op: "gt", flagVal: "4",
+			compareValue: "5", expectedResultPattern: "4 is greater than 5",
+			testResult: false},
+		{label: "op=gt, 5 > 4", op: "gt", flagVal: "5",
+			compareValue: "4", expectedResultPattern: "5 is greater than 4",
+			testResult: true},
+		{label: "op=gt, 5 > 5", op: "gt", flagVal: "5",
+			compareValue: "5", expectedResultPattern: "5 is greater than 5",
+			testResult: false},
+
+		// Test Op "lt"
+		// TODO: test for non-numeric values.
+		//        toNumeric function currently uses os.Exit, which stops tests.
+		// {label: "op=lt, both empty", op: "lt", flagVal: "",
+		// 	compareValue: "", expectedResultPattern: "'' is lower than ''",
+		// 	testResult: true},
+		{label: "op=gt, 0 < 0", op: "lt", flagVal: "0",
+			compareValue: "0", expectedResultPattern: "0 is lower than 0",
+			testResult: false},
+		{label: "op=gt, 4 < 5", op: "lt", flagVal: "4",
+			compareValue: "5", expectedResultPattern: "4 is lower than 5",
+			testResult: true},
+		{label: "op=gt, 5 < 4", op: "lt", flagVal: "5",
+			compareValue: "4", expectedResultPattern: "5 is lower than 4",
+			testResult: false},
+		{label: "op=gt, 5 < 5", op: "lt", flagVal: "5",
+			compareValue: "5", expectedResultPattern: "5 is lower than 5",
+			testResult: false},
+
+		// Test Op "gte"
+		// TODO: test for non-numeric values.
+		//        toNumeric function currently uses os.Exit, which stops tests.
+		// {label: "op=gt, both empty", op: "gte", flagVal: "",
+		// 	compareValue: "", expectedResultPattern: "'' is greater or equal to ''",
+		// 	testResult: true},
+		{label: "op=gt, 0 >= 0", op: "gte", flagVal: "0",
+			compareValue: "0", expectedResultPattern: "0 is greater or equal to 0",
+			testResult: true},
+		{label: "op=gt, 4 >= 5", op: "gte", flagVal: "4",
+			compareValue: "5", expectedResultPattern: "4 is greater or equal to 5",
+			testResult: false},
+		{label: "op=gt, 5 >= 4", op: "gte", flagVal: "5",
+			compareValue: "4", expectedResultPattern: "5 is greater or equal to 4",
+			testResult: true},
+		{label: "op=gt, 5 >= 5", op: "gte", flagVal: "5",
+			compareValue: "5", expectedResultPattern: "5 is greater or equal to 5",
+			testResult: true},
+
+		// Test Op "lte"
+		// TODO: test for non-numeric values.
+		//        toNumeric function currently uses os.Exit, which stops tests.
+		// {label: "op=gt, both empty", op: "lte", flagVal: "",
+		// 	compareValue: "", expectedResultPattern: "'' is lower or equal to ''",
+		// 	testResult: true},
+		{label: "op=gt, 0 <= 0", op: "lte", flagVal: "0",
+			compareValue: "0", expectedResultPattern: "0 is lower or equal to 0",
+			testResult: true},
+		{label: "op=gt, 4 <= 5", op: "lte", flagVal: "4",
+			compareValue: "5", expectedResultPattern: "4 is lower or equal to 5",
+			testResult: true},
+		{label: "op=gt, 5 <= 4", op: "lte", flagVal: "5",
+			compareValue: "4", expectedResultPattern: "5 is lower or equal to 4",
+			testResult: false},
+		{label: "op=gt, 5 <= 5", op: "lte", flagVal: "5",
+			compareValue: "5", expectedResultPattern: "5 is lower or equal to 5",
+			testResult: true},
+
+		// Test Op "has"
+		{label: "op=gt, both empty", op: "has", flagVal: "",
+			compareValue: "", expectedResultPattern: "'' has ''",
+			testResult: true},
+		{label: "op=gt, flagVal=empty", op: "has", flagVal: "",
+			compareValue: "blah", expectedResultPattern: "'' has 'blah'",
+			testResult: false},
+		{label: "op=gt, compareValue=empty", op: "has", flagVal: "blah",
+			compareValue: "", expectedResultPattern: "'blah' has ''",
+			testResult: true},
+		{label: "op=gt, 'blah' has 'la'", op: "has", flagVal: "blah",
+			compareValue: "la", expectedResultPattern: "'blah' has 'la'",
+			testResult: true},
+		{label: "op=gt, 'blah' has 'LA'", op: "has", flagVal: "blah",
+			compareValue: "LA", expectedResultPattern: "'blah' has 'LA'",
+			testResult: false},
+		{label: "op=gt, 'blah' has 'lo'", op: "has", flagVal: "blah",
+			compareValue: "lo", expectedResultPattern: "'blah' has 'lo'",
+			testResult: false},
+
+		// Test Op "nothave"
+		{label: "op=gt, both empty", op: "nothave", flagVal: "",
+			compareValue: "", expectedResultPattern: " '' not have ''",
+			testResult: false},
+		{label: "op=gt, flagVal=empty", op: "nothave", flagVal: "",
+			compareValue: "blah", expectedResultPattern: " '' not have 'blah'",
+			testResult: true},
+		{label: "op=gt, compareValue=empty", op: "nothave", flagVal: "blah",
+			compareValue: "", expectedResultPattern: " 'blah' not have ''",
+			testResult: false},
+		{label: "op=gt, 'blah' not have 'la'", op: "nothave", flagVal: "blah",
+			compareValue: "la", expectedResultPattern: " 'blah' not have 'la'",
+			testResult: false},
+		{label: "op=gt, 'blah' not have 'LA'", op: "nothave", flagVal: "blah",
+			compareValue: "LA", expectedResultPattern: " 'blah' not have 'LA'",
+			testResult: true},
+		{label: "op=gt, 'blah' not have 'lo'", op: "nothave", flagVal: "blah",
+			compareValue: "lo", expectedResultPattern: " 'blah' not have 'lo'",
+			testResult: true},
+
+		// Test Op "regex"
+		{label: "op=gt, both empty", op: "regex", flagVal: "",
+			compareValue: "", expectedResultPattern: " '' matched by ''",
+			testResult: true},
+		{label: "op=gt, flagVal=empty", op: "regex", flagVal: "",
+			compareValue: "blah", expectedResultPattern: " '' matched by 'blah'",
+			testResult: false},
+
+		// Test Op "valid_elements"
+		{label: "op=valid_elements, valid_elements both empty", op: "valid_elements", flagVal: "",
+			compareValue: "", expectedResultPattern: "'' contains valid elements from ''",
+			testResult: true},
+
+		{label: "op=valid_elements, valid_elements flagVal empty", op: "valid_elements", flagVal: "",
+			compareValue: "a,b", expectedResultPattern: "'' contains valid elements from 'a,b'",
+			testResult: false},
+
+		{label: "op=valid_elements, valid_elements expectedResultPattern empty", op: "valid_elements", flagVal: "a,b",
+			compareValue: "", expectedResultPattern: "'a,b' contains valid elements from ''",
+			testResult: false},
+	}
+
+	for _, c := range cases {
+		expectedResultPattern, testResult := compareOp(c.op, c.flagVal, c.compareValue)
+
+		if expectedResultPattern != c.expectedResultPattern {
+			t.Errorf("'expectedResultPattern' did not match - label: %q op: %q expected 'expectedResultPattern':%q  got:%q\n", c.label, c.op, c.expectedResultPattern, expectedResultPattern)
+		}
+
+		if testResult != c.testResult {
+			t.Errorf("'testResult' did not match - label: %q op: %q expected 'testResult':%t  got:%t\n", c.label, c.op, c.testResult, testResult)
+		}
+	}
+}

cmd/common.go

@@ -65,6 +65,12 @@ func NewRunFilter(opts FilterOpts) (check.Predicate, error) {
 func runChecks(nodetype check.NodeType) {
 	var summary check.Summary
 
+	// Verify config file was loaded into Viper during Cobra sub-command initialization.
+	if configFileError != nil {
+		colorPrint(check.FAIL, fmt.Sprintf("Failed to read config file: %v\n", configFileError))
+		os.Exit(1)
+	}
+
 	def := loadConfig(nodetype)
 	in, err := ioutil.ReadFile(def)
 	if err != nil {
@@ -82,9 +88,10 @@ func runChecks(nodetype check.NodeType) {
 		exitWithError(err)
 	}
 
-	confmap := getConfigFiles(typeConf)
-	svcmap := getServiceFiles(typeConf)
-	kubeconfmap := getKubeConfigFiles(typeConf)
+	confmap := getFiles(typeConf, "config")
+	svcmap := getFiles(typeConf, "service")
+	kubeconfmap := getFiles(typeConf, "kubeconfig")
+	cafilemap := getFiles(typeConf, "ca")
 
 	// Variable substitutions. Replace all occurrences of variables in controls files.
 	s := string(in)
@@ -92,6 +99,7 @@ func runChecks(nodetype check.NodeType) {
 	s = makeSubstitutions(s, "conf", confmap)
 	s = makeSubstitutions(s, "svc", svcmap)
 	s = makeSubstitutions(s, "kubeconfig", kubeconfmap)
+	s = makeSubstitutions(s, "cafile", cafilemap)
 
 	controls, err := check.NewControls(nodetype, []byte(s))
 	if err != nil {

cmd/root.go

@@ -49,6 +49,7 @@ var (
 	filterOpts         FilterOpts
 	includeTestOutput  bool
 	outputFile         string
+	configFileError    error
 )
 
 // RootCmd represents the base command when called without any subcommands
@@ -129,12 +130,27 @@ func initConfig() {
 		viper.AddConfigPath(cfgDir)   // adding ./cfg as first search path
 	}
 
+	// Read flag values from environment variables.
+	// Precedence: Command line flags take precedence over environment variables.
 	viper.SetEnvPrefix(envVarsPrefix)
-	viper.AutomaticEnv() // read in environment variables that match
+	viper.AutomaticEnv()
+	
+	if kubeVersion == "" {
+		if env := viper.Get("version"); env != nil {
+			kubeVersion = env.(string)
+		}
+ 	}
 
 	// If a config file is found, read it in.
 	if err := viper.ReadInConfig(); err != nil {
-		colorPrint(check.FAIL, fmt.Sprintf("Failed to read config file: %v\n", err))
-		os.Exit(1)
+		if _, ok := err.(viper.ConfigFileNotFoundError); ok {
+			// Config file not found; ignore error for now to prevent commands
+			// which don't need the config file exiting.
+			configFileError = err
+		} else {
+			// Config file was found but another error was produced
+			colorPrint(check.FAIL, fmt.Sprintf("Failed to read config file: %v\n", err))
+			os.Exit(1)
+		}
 	}
 }

cmd/util.go

@@ -27,6 +27,12 @@ var (
 
 var psFunc func(string) string
 var statFunc func(string) (os.FileInfo, error)
+var TypeMap = map[string][]string{
+	"ca": []string{"cafile", "defaultcafile"},
+	"kubeconfig": []string{"kubeconfig", "defaultkubeconfig"},
+	"service": []string{"svc", "defaultsvc"},
+	"config": []string{"confs", "defaultconf"},
+}
 
 func init() {
 	psFunc = ps
@@ -68,6 +74,8 @@ func cleanIDs(list string) map[string]bool {
 
 // ps execs out to the ps command; it's separated into a function so we can write tests
 func ps(proc string) string {
+	// TODO: truncate proc to 15 chars
+	// See https://github.com/aquasecurity/kube-bench/issues/328#issuecomment-506813344
 	cmd := exec.Command("ps", "-C", proc, "-o", "cmd", "--no-headers")
 	out, err := cmd.Output()
 	if err != nil {
@@ -163,9 +171,11 @@ func decrementVersion(version string) string {
 	return strings.Join(split, ".")
 }
 
-// getConfigFiles finds which of the set of candidate config files exist
-func getConfigFiles(v *viper.Viper) map[string]string {
-	confmap := make(map[string]string)
+// getFiles finds which of the set of candidate files exist
+func getFiles(v *viper.Viper, fileType string) map[string]string {
+	filemap := make(map[string]string)
+	mainOpt := TypeMap[fileType][0]
+	defaultOpt := TypeMap[fileType][1]
 
 	for _, component := range v.GetStringSlice("components") {
 		s := v.Sub(component)
@@ -173,87 +183,25 @@ func getConfigFiles(v *viper.Viper) map[string]string {
 			continue
 		}
 
-		// See if any of the candidate config files exist
-		conf := findConfigFile(s.GetStringSlice("confs"))
-		if conf == "" {
-			if s.IsSet("defaultconf") {
-				conf = s.GetString("defaultconf")
-				glog.V(2).Info(fmt.Sprintf("Using default config file name '%s' for component %s", conf, component))
+		// See if any of the candidate files exist
+		file := findConfigFile(s.GetStringSlice(mainOpt))
+		if file == "" {
+			if s.IsSet(defaultOpt) {
+				file = s.GetString(defaultOpt)
+				glog.V(2).Info(fmt.Sprintf("Using default %s file name '%s' for component %s", fileType, file, component))
 			} else {
-				// Default the config file name that we'll substitute to the name of the component
-				glog.V(2).Info(fmt.Sprintf("Missing config file for %s", component))
-				conf = component
+				// Default the file name that we'll substitute to the name of the component
+				glog.V(2).Info(fmt.Sprintf("Missing %s file for %s", fileType, component))
+				file = component
 			}
 		} else {
-			glog.V(2).Info(fmt.Sprintf("Component %s uses config file '%s'", component, conf))
+			glog.V(2).Info(fmt.Sprintf("Component %s uses %s file '%s'", component, fileType, file))
 		}
 
-		confmap[component] = conf
+		filemap[component] = file
 	}
 
-	return confmap
-}
-
-// getServiceFiles finds which of the set of candidate service files exist
-func getServiceFiles(v *viper.Viper) map[string]string {
-	svcmap := make(map[string]string)
-
-	for _, component := range v.GetStringSlice("components") {
-		s := v.Sub(component)
-		if s == nil {
-			continue
-		}
-
-		// See if any of the candidate config files exist
-		svc := findConfigFile(s.GetStringSlice("svc"))
-		if svc == "" {
-			if s.IsSet("defaultsvc") {
-				svc = s.GetString("defaultsvc")
-				glog.V(2).Info(fmt.Sprintf("Using default service file name '%s' for component %s", svc, component))
-			} else {
-				// Default the service file name that we'll substitute to the name of the component
-				glog.V(2).Info(fmt.Sprintf("Missing service file for %s", component))
-				svc = component
-			}
-		} else {
-			glog.V(2).Info(fmt.Sprintf("Component %s uses service file '%s'", component, svc))
-		}
-
-		svcmap[component] = svc
-	}
-
-	return svcmap
-}
-
-// getKubeConfigFiles finds which of the set of candidate kubeconfig files exist
-func getKubeConfigFiles(v *viper.Viper) map[string]string {
-	kubeconfigmap := make(map[string]string)
-
-	for _, component := range v.GetStringSlice("components") {
-		s := v.Sub(component)
-		if s == nil {
-			continue
-		}
-
-		// See if any of the candidate config files exist
-		kubeconfig := findConfigFile(s.GetStringSlice("kubeconfig"))
-		if kubeconfig == "" {
-			if s.IsSet("defaultkubeconfig") {
-				kubeconfig = s.GetString("defaultkubeconfig")
-				glog.V(2).Info(fmt.Sprintf("Using default kubeconfig file name '%s' for component %s", kubeconfig, component))
-			} else {
-				// Default the service file name that we'll substitute to the name of the component
-				glog.V(2).Info(fmt.Sprintf("Missing kubeconfig file for %s", component))
-				kubeconfig = component
-			}
-		} else {
-			glog.V(2).Info(fmt.Sprintf("Component %s uses kubeconfig file '%s'", component, kubeconfig))
-		}
-
-		kubeconfigmap[component] = kubeconfig
-	}
-
-	return kubeconfigmap
+	return filemap
 }
 
 // verifyBin checks that the binary specified is running

cmd/util_test.go

@@ -298,7 +298,7 @@ func TestGetConfigFiles(t *testing.T) {
 			e = c.statResults
 			eIndex = 0
 
-			m := getConfigFiles(v)
+			m := getFiles(v, "config")
 			if !reflect.DeepEqual(m, c.exp) {
 				t.Fatalf("Got %v\nExpected %v", m, c.exp)
 			}
@@ -373,7 +373,7 @@ func TestGetServiceFiles(t *testing.T) {
 			e = c.statResults
 			eIndex = 0
 
-			m := getServiceFiles(v)
+			m := getFiles(v, "service")
 			if !reflect.DeepEqual(m, c.exp) {
 				t.Fatalf("Got %v\nExpected %v", m, c.exp)
 			}

docs/README.md

@@ -4,30 +4,11 @@
 representation of the CIS Kubernetes Benchmark checks. There is a 
 `controls` file per kubernetes version and node type.
 
-kube-bench automatically selects which `controls` to use based on the detected
-node type and the version of kubernetes a cluster is running. This behaviour
-can be overridden by specifying the `master` or `node` subcommand and the
-`--version` flag on the command line.
-
-For example:
-run kube-bench against a master with version  auto-detection:
-
-```
-kube-bench master
-```
-
-or run kube-bench against a node with the node `controls` for kubernetes 
-version 1.12:
-```
-kube-bench node --version 1.12
-```
-
 `controls` for the various versions of kubernetes can be found in directories
 with same name as the kubernetes versions under `cfg/`, for example `cfg/1.12`.
 `controls` are also organized by distribution under the `cfg` directory for
 example `cfg/ocp-3.10`.
 
-
 ## Controls
 
 `controls` is a YAML document that contains checks that must be run against a 
@@ -248,6 +229,9 @@ The `op` (operations) currently supported in `kube-bench` are:
 - `lte`: tests if the keyword is less than or equal to the compared value.
 - `has`: tests if the keyword contains the compared value.
 - `nothave`: tests if the keyword does not contain the compared value.
+- `regex`: tests if the flag value matches the compared value regular expression.
+   When defining regular expressions in YAML it is generally easier to wrap them in
+   single quotes, for example `'^[abc]$'`, to avoid issues with string escaping.
 
 ## Configuration and Variables
 
@@ -291,12 +275,11 @@ Every node type has a subsection that specifies the main configurations items.
   Each component has the following entries:
 
 - `bins`: A list of candidate binaries for a component. `kube-bench` checks this
-   list and selects the first binary that is running on the node, if none is
-   running, `kube-bench` terminates.
+   list and selects the first binary that is running on the node.
 
-   If `defaultbin` is specified, `kube-bench` ignores the `bins` list (if it is
-   specified) and verifies the binary specified with `defaultbin` is running on
-   the node. `kube-bench` terminates if this binary is not running.
+   if none of the binaries in `bins` list is running, `kube-bench` checks if the
+   binary specified by `defaultbin` is running and terminates if none of the 
+   binaries in both `bins` and `defaultbin` is running.
    
    The selected binary for a component can be referenced in `controls` using a 
    variable in the form `$<component>bin`. In the example below, we reference 
@@ -311,12 +294,9 @@ Every node type has a subsection that specifies the main configurations items.
    ```
    
 - `confs`: A list of candidate configuration files for a component. `kube-bench`
-  checks this list and selects the first config fille that is found on the node,
-  if none of the config files exists `kube-bench` terminates.
-  
-  If `defaultconf`is specified for a component, `kube-bench` ignores the `confs`
-  list (if it is specified) and verifies the config specified by `defaultconf`
-  exists on the node. `kube-bench` terminates if this file does not exist.
+  checks this list and selects the first config file that is found on the node,
+  if none of the config files exists, `kube-bench` defaults conf to the value
+  of `defaultconf`.
   
   The selected config for a component can be referenced in `controls` using a
   variable in the form `$<component>conf`. In the example below we reference the 
@@ -333,11 +313,7 @@ Every node type has a subsection that specifies the main configurations items.
   
 - `svcs`:  A list of candidates unitfiles for a component. `kube-bench` checks this 
   list and selects the first unitfile that is found on the node, if none of the
-  unitfiles exists `kube-bench` terminates.
-  
-  If `defaultsvc`is specified for a component, `kube-bench` ignores the `svcs`
-  list (if it is specified) and verifies the unitfile specified by `defaultsvc`
-  exists on the node. `kube-bench` terminates if this file does not exist.
+  unitfiles exists, `kube-bench` defaults unitfile to the value of `defaultsvc`.
   
   The selected unitfile for a component can be referenced in `controls` via a
   variable in the form `$<component>svc`. In the example below, the selected 
@@ -359,11 +335,8 @@ Every node type has a subsection that specifies the main configurations items.
   
   - `kubeconfig`: A list of candidate kubeconfig files for a component. `kube-bench`
     checks this list and selects the first file that is found on the node, if none
-    of the files exists `kube-bench` terminates.
-    
-    If `defaultkubeconfig` is specified for a component, `kube-bench` ignores the
-    `kubeconfig` list (if it is specified) and verifies the kubeconfig file exists on
-    the node. `kube-bench` terminates if this file does not exist.
+    of the files exists, `kube-bench` defaults kubeconfig to the value of 
+    `defaultkubeconfig`.
     
     The selected kubeconfig for a component can be referenced in `controls` with
     a variable in the form `$<component>kubeconfig`. In the example below, the

job-iks.yaml

@@ -0,0 +1,33 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: kube-bench
+spec:
+  template:
+    spec:
+      hostPID: true
+      containers:
+      - name: kube-bench
+        image: aquasec/kube-bench:latest
+        command: ["kube-bench", "--version", "1.13", "node"]
+        volumeMounts:
+        - name: var-lib-kubelet
+          mountPath: /var/lib/kubelet
+        - name: etc-systemd
+          mountPath: /etc/systemd
+        - name: etc-kubernetes
+          mountPath: /etc/kubernetes
+      restartPolicy: Never
+      volumes:
+      - name: var-lib-kubelet
+        hostPath:
+          path: "/var/lib/kubelet"
+      - name: etc-systemd
+        hostPath:
+          path: "/lib/systemd"
+      - name: etc-kubernetes
+        hostPath:
+          path: "/etc/kubernetes"
+      - name: usr-bin
+        hostPath:
+          path: "/usr/bin"

makefile

@@ -32,7 +32,7 @@ build-docker:
              -t $(IMAGE_NAME) .
 
 tests:
-	go test -race -timeout 30s -cover ./cmd ./check
+	GO111MODULE=on go test -v -short -race -timeout 30s -coverprofile=coverage.txt -covermode=atomic ./...
 
 # creates a kind cluster to be used for development.
 HAS_KIND := $(shell command -v kind;)