github/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2026-02-19 20:40:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: github:v0.0.5
Branches Tags
github:main github:lihiz_preflight github:dependabot/github_actions/golangci/golangci-lint-action-7 github:gh-pages github:aquadev
github:v0.14.1 github:v0.14.0 github:v0.13.0 github:v0.12.0 github:v0.11.2 github:v0.11.1 github:v0.11.0 github:v0.10.7 github:v0.10.6 github:v0.10.5 github:v0.10.4 github:v0.10.3 github:v0.10.2 github:v0.10.1 github:v0.10.0 github:v0.9.4 github:v0.9.3 github:v0.9.2 github:v0.9.1 github:v0.9.0 github:v0.8.0 github:v0.7.3 github:v0.7.2 github:v0.7.1 github:v0.7.0 github:v0.6.19 github:v0.6.18 github:v0.6.18-rc github:v0.6.17 github:v0.6.16 github:v0.6.16-rc github:v0.6.15 github:v0.6.14 github:v0.6.14-rc github:v0.6.13 github:v0.6.13-rc2 github:v0.6.13-rc github:v0.6.12 github:v0.6.12-rc github:v0.6.11 github:v0.6.10 github:v0.6.9 github:v0.6.8 github:v0.6.7 github:v0.6.7-rc1 github:v0.6.6 github:v0.6.5 github:v0.6.4 github:v0.6.3 github:v0.6.2 github:0.6.1 github:v0.6.0 github:v0.5.0 github:v0.4.0 github:v0.3.1 github:v0.3.0 github:v0.2.3 github:v0.0.1-alpha.0 github:v0.2.2 github:v0.2.1 github:v0.2.0 github:v0.1.0 github:v0.0.34 github:v0.0.33 github:v0.0.32 github:v0.0.31 github:v0.0.30 github:v0.0.29 github:v0.0.27 github:V0.0.27 github:v0.0.28 github:0.0.27 github:v0.0.26 github:v0.0.25 github:v0.0.24 github:v0.0.23 github:v0.0.22 github:v0.0.21 github:v0.0.20 github:v0.0.18 github:v0.0.19 github:v0.0.17 github:v0.0.16 github:v0.0.15 github:v0.0.14 github:0.0.14 github:v0.0.13 github:v0.0.12 github:v0.0.11 github:v0.0.10 github:v0.0.9 github:v0.0.8 github:v0.0.7 github:v0.0.6 github:v0.0.5 github:v0.0.4 github:v0.0.3 github:v0.0.2 github:v0.0.1
...
compare: github:aquadev
Branches Tags
github:main github:lihiz_preflight github:dependabot/github_actions/golangci/golangci-lint-action-7 github:gh-pages github:aquadev
github:v0.14.1 github:v0.14.0 github:v0.13.0 github:v0.12.0 github:v0.11.2 github:v0.11.1 github:v0.11.0 github:v0.10.7 github:v0.10.6 github:v0.10.5 github:v0.10.4 github:v0.10.3 github:v0.10.2 github:v0.10.1 github:v0.10.0 github:v0.9.4 github:v0.9.3 github:v0.9.2 github:v0.9.1 github:v0.9.0 github:v0.8.0 github:v0.7.3 github:v0.7.2 github:v0.7.1 github:v0.7.0 github:v0.6.19 github:v0.6.18 github:v0.6.18-rc github:v0.6.17 github:v0.6.16 github:v0.6.16-rc github:v0.6.15 github:v0.6.14 github:v0.6.14-rc github:v0.6.13 github:v0.6.13-rc2 github:v0.6.13-rc github:v0.6.12 github:v0.6.12-rc github:v0.6.11 github:v0.6.10 github:v0.6.9 github:v0.6.8 github:v0.6.7 github:v0.6.7-rc1 github:v0.6.6 github:v0.6.5 github:v0.6.4 github:v0.6.3 github:v0.6.2 github:0.6.1 github:v0.6.0 github:v0.5.0 github:v0.4.0 github:v0.3.1 github:v0.3.0 github:v0.2.3 github:v0.0.1-alpha.0 github:v0.2.2 github:v0.2.1 github:v0.2.0 github:v0.1.0 github:v0.0.34 github:v0.0.33 github:v0.0.32 github:v0.0.31 github:v0.0.30 github:v0.0.29 github:v0.0.27 github:V0.0.27 github:v0.0.28 github:0.0.27 github:v0.0.26 github:v0.0.25 github:v0.0.24 github:v0.0.23 github:v0.0.22 github:v0.0.21 github:v0.0.20 github:v0.0.18 github:v0.0.19 github:v0.0.17 github:v0.0.16 github:v0.0.15 github:v0.0.14 github:0.0.14 github:v0.0.13 github:v0.0.12 github:v0.0.11 github:v0.0.10 github:v0.0.9 github:v0.0.8 github:v0.0.7 github:v0.0.6 github:v0.0.5 github:v0.0.4 github:v0.0.3 github:v0.0.2 github:v0.0.1

264 Commits
v0.0.5 ... aquadev

Author SHA1 Message Date
Liz Rice
d30786da4a Merge pull request #258 from aquasecurity/fix-241 
Add ":" as a valid flag-value separator for tests
 2019-04-11 09:37:39 +01:00
Liz Rice
c03e958311 Merge branch 'master' into fix-241 2019-04-11 09:34:02 +01:00
Liz Rice
241972c659 Merge pull request #249 from aquasecurity/document-output 
Document output states
 2019-04-11 09:18:34 +01:00
Liz Rice
d93ed0acca Merge branch 'master' into fix-241 2019-04-11 09:05:18 +01:00
Liz Rice
b5f3299e92 Merge branch 'master' into document-output 2019-04-11 09:04:04 +01:00
Liz Rice
588d75d20d Merge pull request #251 from aquasecurity/version-mapping 
Add CIS & Kubernetes version mapping to README
 2019-04-11 09:03:44 +01:00
Abubakr-Sadik Nii Nai Davis
4b8a7ffbe1 Add ":" as a valid flag-value separator for tests 
This is useful for checking values in YAML (possibly JSON) kubernetes config files.
 2019-04-10 22:47:26 +00:00
Liz Rice
651b72f7d1 Merge branch 'master' into document-output 2019-04-10 08:45:55 +01:00
Liz Rice
0c40532e76 Merge branch 'master' into version-mapping 2019-04-10 08:31:04 +01:00
Liz Rice
54502c5f75 Merge pull request #247 from aquasecurity/yoavrotems-patch-2 
Update master.yaml
 2019-03-27 14:24:03 +00:00
Liz Rice
df556c2f42 Add CIS & Kubernetes version mapping to README 2019-03-27 14:21:22 +00:00
Liz Rice
488f5221ef Document output states 
Also describe how tests can be omitted by editing the YAML
 2019-03-26 10:37:17 +00:00
Liz Rice
b1ce0a9a75 Merge branch 'master' into yoavrotems-patch-2 2019-03-26 09:51:03 +00:00
Liz Rice
0f86bfc060 Merge pull request #246 from aquasecurity/yoavrotems-patch-1 
Update master.yaml
 2019-03-26 09:41:40 +00:00
yoavrotems
d059196b71 Update master.yaml 
Fix 1.1.23 to check *if* --service-account-lookup argument is set and if so then if it's equal to true
 2019-03-25 14:41:06 +02:00
yoavrotems
a85e5a7759 Update master.yaml 
Fix title of 1.4.21 from 644 to 600 according to cis benchmark
 2019-03-25 14:33:52 +02:00
Liz Rice
573136a700 Merge pull request #238 from Kuqd/features/autodetect-nodetype 
Adds master node detection - thanks @Kuqd!
 2019-03-18 18:43:13 +00:00
Liz Rice
9246be924d Merge branch 'master' into features/autodetect-nodetype 2019-03-13 20:36:19 -07:00
Cyril Tovena
5baf81a70a Adds master node detection and a root command that automatically detect checks to run. 
The root command will run node checks and if possible master checks.
I've also added some Makefile targets to improve local testing and improve the documentation.
 2019-03-12 19:32:05 -04:00
Liz Rice
c4c0d911d4 Merge pull request #237 from aquasecurity/openshift 
Update openshift executable config
 2019-03-07 14:53:22 +00:00
Liz Rice
9b3628e76a Update openshift executable config for #236 2019-03-07 11:18:06 +00:00
Liz Rice
8745df170a Merge pull request #233 from aquasecurity/clean-ocp-configs 
Clean up OCP benchmark config.
 2019-03-07 09:30:18 +00:00
Liz Rice
1ead9e1d71 Merge branch 'master' into clean-ocp-configs 2019-03-07 09:22:47 +00:00
Liz Rice
772d2e26b4 Merge pull request #226 from aquasecurity/add-new-cfg-version1.4 
add new config files from the new CIS Kubernetes Benchmark
 2019-03-06 13:35:17 +00:00
Abubakr-Sadik Nii Nai Davis
53ed68a0b2 Clean up OCP benchmark config. 
The OCP benchmarks uses configs for only binary component variable names.
This commit cleans up the OCP config by removing all configuration
except those component binaries required to run kube-bench on OCP
installations and adds missing ones.
 2019-03-06 12:02:58 +00:00
yoavrotems
c6102f0a1b Fix the files 
Fix the start from 1.11 to 1.13 and adding changes from pull #227, and pull #228.
 2019-03-06 11:26:36 +00:00
yoavrotems
e534392525 Delete node.yaml 
replace with the new node.yaml file
 2019-03-06 13:24:14 +02:00
yoavrotems
5f09ecef44 Delete master.yaml 
replace with the new master.yaml file
 2019-03-06 13:23:49 +02:00
yoavrotems
a7d9e06c1b Delete config.yaml 
replace with the new config.yaml file
 2019-03-06 13:23:18 +02:00
yoavrotems
50f22e7f13 Merge branch 'master' into add-new-cfg-version1.4 2019-03-06 11:16:36 +00:00
Liz Rice
2d4019aabe Merge pull request #228 from aquasecurity/fix-208 
Fix issues with checks for kubelet configuration files
 2019-03-03 11:10:05 +00:00
Liz Rice
dd8e7ec874 Merge branch 'master' into fix-208 2019-03-03 09:45:16 +00:00
Abubakr-Sadik Nii Nai Davis
d255b49d4b Revert 1.8 config file. 2019-03-02 17:20:46 +00:00
Liz Rice
0a58805cdb Merge pull request #227 from aquasecurity/fix-false-detections 
Only find flags on the process we really want
 2019-02-28 10:48:23 +08:00
Liz Rice
c18d8a2234 Merge branch 'master' into fix-false-detections 2019-02-28 10:38:41 +08:00
Abubakr-Sadik Nii Nai Davis
a88b0703d8 Add kubeconfig variable substitution for kubelet and proxy. 
There are checks for the kubeconfig for both kubelet and proxy which
the current kube-bench implementation does not check for properly.
kube-bench checks the wrong files.

This PR adds support for variable substitution for all the config file
types are that should be checked in the CIS benchmarks.

This PR also fixes a buggy in CIS 1.3.0 check 2.2.9, which checks for
ownership of the kubelet config file /var/lib/kubelet/config.yaml but
recommends changing ownership of kubelet kubeconfig file
/etc/kubernetes/kubelet.conf as remediation.
 2019-02-27 22:15:14 +00:00
Abubakr-Sadik Nii Nai Davis
3f98c1def2 Fix wrong reference to kubelet.config in node checks. 
This fix applies to only checks for kubernetes versions 1.8 and 1.11.
See https://github.com/aquasecurity/kube-bench/pull/208.
 2019-02-27 22:14:19 +00:00
Liz Rice
d712db47a2 Only find flags on the process we really want 2019-02-28 01:33:21 +08:00
yoavrotems
82150fdc63 add new config files from the new CIS Kubernetes Benchmark 
there is a new update at CIS_Kubernetes_Benchmark_v1.4.0 for Kubernetes 1.13
 2019-02-27 10:39:32 +00:00
Liz Rice
c824daeb15 Merge pull request #222 from nshauli/search_for_kubelet_binary_when_not_in_path 
search for the kubelet binary when it is not in the path
 2019-02-19 16:07:20 +00:00
nshauli
e93bfc1aac search for the kubelet binary when it is not in the path 2019-02-19 16:38:10 +02:00
Liz Rice
da09e6513a Merge pull request #218 from yoavAqua/bugfix-log-warnings-instead-of-print 
Bugfix: Logging warning instead of printing
 2019-02-19 13:48:30 +00:00
Liz Rice
7626dc2705 Merge branch 'master' into bugfix-log-warnings-instead-of-print 2019-02-19 13:44:23 +00:00
Yoav Hizkiahou
082e9cf7e9 Bugfix: Logging warning instead of printing 
Made all the warnings to be logged and not printed, so when using the json flag the output will be only in json format.

fix #217
 2019-02-19 14:39:55 +02:00
Liz Rice
2d4c7e8b42 Merge pull request #212 from aquasecurity/ocp-configs 
OCP benchmarks and configs
 2019-02-18 09:31:45 +00:00
Liz Rice
cd231106cc Improve comment 
Tests could easily be marked "skip" because the user doesn't want to run them in their environment, and in this common case the set of tests will be non-nil
 2019-02-18 08:46:26 +00:00
Liz Rice
db962a0ad9 Fix merge of skip check 2019-02-18 08:40:57 +00:00
Abubakr-Sadik Nii Nai Davis
911e9051dc Merge remote-tracking branch 'origin/master' into ocp-configs 2019-02-15 19:48:53 +00:00
Abubakr-Sadik Nii Nai Davis
e899e941f7 Add OCP 3.10 benchmarks. 2019-02-15 19:44:39 +00:00
Weston Steimel
42ed8628de Only get runningVersion if --version has not been provided 
Signed-off-by: Weston Steimel <weston.steimel@gmail.com>
 2019-02-15 19:43:13 +00:00
Liz Rice
dc8dcfbf8c Merge pull request #211 from yoavAqua/support-skip-flag 
Type skip and not scored checks
 2019-01-29 23:14:05 +02:00
Yoav Hizkiahou
49f745af8e Support new check type - skip: 
If a check is marked with type "skip", it will be marked as Info.

Support scored property:
If a check is not scored and is not marked with type skip, it will be marked as Warn.
 2019-01-29 19:05:12 +02:00
Liz Rice
ba437d500a Merge pull request #206 from westonsteimel/no_runningversion_if_version_set 
Only get runningVersion if --version has not been provided
 2019-01-24 12:00:59 +01:00
Weston Steimel
42f4152058 Only get runningVersion if --version has not been provided 
Signed-off-by: Weston Steimel <weston.steimel@gmail.com>
 2019-01-24 00:34:09 +00:00
Liz Rice
8dabb7dc37 Merge pull request #201 from aquasecurity/yam-comment 
Comment why we mount /usr/bin
 2019-01-22 09:49:25 +01:00
Liz Rice
f2062e81a1 Comment why /usr/bin is mounted 2019-01-17 11:36:25 +00:00
Liz Rice
528bcfbffe Update job-node.yaml 2019-01-17 11:34:26 +00:00
Liz Rice
3422b9102f Add comment for why /usr/bin is mounted 2019-01-17 11:33:35 +00:00
Liz Rice
86b126ad2b Create NOTICE (#199) 
* Create NOTICE

* Update NOTICE
 2019-01-16 10:53:07 +02:00
Liz Rice
827945f7fb Merge pull request #200 from spuder/patch-1 
warn osx limitation
 2019-01-15 11:11:57 +00:00
Liz Rice
79427e185e Merge branch 'master' into patch-1 2019-01-15 11:05:27 +00:00
Liz Rice
6b9ceae9d4 True for Windows too 2019-01-15 11:05:04 +00:00
Liz Rice
fbd6eb8ff5 Merge pull request #198 from aquasecurity/mount-volumes 
For #197 - create job YAML files that mount host volumes as needed
 2019-01-15 11:03:06 +00:00
Spencer Owen
2a9a02f25b warn osx limitation 2019-01-14 10:41:19 -07:00
Liz Rice
8021610e46 For #197 - create job YAML files that mount host volumes as needed 2019-01-11 18:44:13 +00:00
Liz Rice
2eef3e8ad2 Merge pull request #193 from maxbischoff/patch-1 
Changed 1.1.14 to not fail when flag is not set
 2019-01-09 10:21:27 +00:00
Maximilian Bischoff
791fbba9e7 Changed 1.1.14 to not fail when flag is not set 
Added another test item that checks whether --disable-admission-plugins is not set and an "or" bin_op. 
This causes check 1.1.14 to be successful when the flag is not set, while still failing when the flag is set and includes the value NamespaceLifecycle
 2019-01-08 13:58:41 +01:00
Liz Rice
f6cab11357 Merge pull request #187 from martinmosegaard/doc-kubectl-host-pid 
Document limitation of running with kubectl
 2019-01-02 11:05:32 +00:00
Liz Rice
9f2899027e Merge branch 'master' into doc-kubectl-host-pid 2019-01-02 10:59:19 +00:00
Liz Rice
313fe038f6 Merge pull request #188 from martinmosegaard/rm-space-tls-cipher 
Remove spaces in remediation command for tls-cipher-suites
 2019-01-02 10:59:07 +00:00
Liz Rice
2d721ed4ad Merge branch 'master' into rm-space-tls-cipher 2019-01-02 10:53:29 +00:00
Liz Rice
799b928054 Merge pull request #189 from Congelli501/patch-1 
Typo: trailing whitespace for rule text
 2019-01-02 10:53:16 +00:00
Liz Rice
3a662b3ff6 Merge branch 'master' into doc-kubectl-host-pid 2019-01-02 10:53:04 +00:00
Liz Rice
f902b30110 Merge branch 'master' into rm-space-tls-cipher 2019-01-02 10:31:34 +00:00
Liz Rice
b52a88214f Merge branch 'master' into patch-1 2019-01-02 10:30:33 +00:00
Liz Rice
bfdd921f3d Merge pull request #190 from Congelli501/patch-2 
Advise the use to mount /etc & /var read only for docker usage
 2019-01-02 10:29:58 +00:00
Colin GILLE
af7ad90477 Advise the use to mount /etc & /var read only for docker usage 2018-12-31 16:39:31 +01:00
Colin GILLE
ffe7ffb3d3 Type: trailing whitespace for rule text 2018-12-31 16:36:15 +01:00
Martin Mosegaard Amdisen
fd120d0adf Remove spaces in remediation command for tls-cipher-suites 
Makes it easier to copy-paste the remediation. Matches the other occurences
of tls-cipher-suites in the configuration.
 2018-12-27 14:48:21 +01:00
Martin Mosegaard Amdisen
ba03d8f64b Document limitation of running with kubectl 
Once the master node recommended check:

1.1.12 Ensure that the admission control plugin DenyEscalatingExec is set

has been followed, it is no longer possible to run kube-bench itself using kubectl.
 2018-12-27 13:10:00 +01:00
Liz Rice
21f7902288 Merge pull request #183 from s1lv3r40/master 
Fixing Node Check - 2.1.15 typos
 2018-12-21 11:31:43 +00:00
Liz Rice
26e28b8897 Merge branch 'master' into master 2018-12-21 11:26:53 +00:00
Liz Rice
ae1812b4db Merge pull request #185 from maxbischoff/patch-1 
Added missing "=" to master.yaml
 2018-12-21 11:26:40 +00:00
Liz Rice
1534a4aea8 Merge branch 'master' into patch-1 2018-12-21 11:20:13 +00:00
Liz Rice
28a57ff1a3 Merge branch 'master' into master 2018-12-21 11:18:26 +00:00
Liz Rice
41fe066039 Merge pull request #186 from seslattery/seslattery-patch-1 
Fix typo on README.md
 2018-12-21 11:17:31 +00:00
Sean Slattery
5ca498cd50 Fix typo on README.md 2018-12-20 11:19:44 -08:00
Maximilian Bischoff
e81b785bf8 Added missing "=" to master.yaml 
In the remediation of 1.1.11 the flag --enable-admission-plugins was missing a =
 2018-12-19 18:20:23 +01:00
Vladimir Dimov
645d23e1ec fixing typos 2.1.15 2018-11-28 13:14:49 +02:00
Liz Rice
52d6ac717d Merge pull request #181 from aquasecurity/config-file-location-mount 
read config files from host /etc
 2018-11-20 19:49:37 +00:00
Liz Rice
bdbbe41b69 Also /var 2018-11-20 13:22:36 +00:00
Liz Rice
ba9985047c read config files from host /etc 
I don't see how kube-bench can check the permissions on files unless it has access to them on the host, so I think we need to be mounting the /etc directory from the host
 2018-11-20 10:18:06 +00:00
Liz Rice
5fe702edbe Merge pull request #175 from aquasecurity/fix-2.1.8 
Fix node check 2.1.8
 2018-11-08 12:22:17 +00:00
Liz Rice
6e80b6477a Merge branch 'master' into fix-2.1.8 2018-11-08 11:41:54 +00:00
Liz Rice
e1f5bb1ace Merge pull request #173 from aquasecurity/fix-1.1.37 
Fix check 1.1.37.
 2018-11-08 11:40:06 +00:00
Liz Rice
6d8788071f Merge branch 'master' into fix-2.1.8 2018-11-08 11:38:34 +00:00
Liz Rice
f42243e9b5 Merge branch 'master' into fix-1.1.37 2018-11-08 11:35:58 +00:00
Liz Rice
d004acdbba Merge pull request #174 from johscheuer/correct-readme 
Correct readme for 1.11 example
 2018-11-08 11:33:50 +00:00
Abubakr-Sadik Nii Nai Davis
0a5358665e By default --make-iptables-util-chain is true, so PASS if this flag is not set. 2018-11-07 23:57:38 +00:00
Abubakr-Sadik Nii Nai Davis
4f40a11e84 Change binary op from and to or. 2018-11-07 23:54:41 +00:00
Johannes M. Scheuermann
b3b3cb819a Correct readme for 1.11 example 
Signed-off-by: Johannes M. Scheuermann <joh.scheuer@gmail.com>
 2018-11-07 21:51:52 +01:00
Abubakr-Sadik Nii Nai Davis
c0f56e966a Fix check 1.1.37. 2018-11-06 14:35:45 +00:00
Liz Rice
ed7f6cf3fc Merge pull request #171 from nickperry/master 
Fixes https://github.com/aquasecurity/kube-bench/issues/170
 2018-11-01 09:57:14 +00:00
Nick Perry
e083c8f0a3 Fixes https://github.com/aquasecurity/kube-bench/issues/170 
Correcting the logic of 1.1.14 for Kubernetes 1.11.
 2018-10-30 23:40:41 +00:00
Liz Rice
77481e8739 Merge pull request #169 from mikekim/fix-1.3.7 
Fixing 1.3.7 on 1.11 master.
 2018-10-29 12:12:39 +00:00
Liz Rice
48489637c5 Merge branch 'master' into fix-1.3.7 2018-10-29 12:08:22 +00:00
Liz Rice
15537cb42b Merge pull request #168 from mikekim/fix-dollar-in-paths 
Fixing checks 2.2.9 and 2.2.10 on 1.11 nodes.
 2018-10-27 09:31:55 +01:00
Michal Jankowski
9988503223 Fixing 1.3.7 on 1.11 master. 
With multiple test items operator defaults to "and". In case of 1.3.7
the tests check whether --address flag is either set to 127.0.0.1 or not
set at all. Those conditions cannot be met at the same time.
 2018-10-25 15:32:41 -07:00
Michal Jankowski
5f254de415 Fixing checks 2.2.9 and 2.2.10 on 1.11 nodes. 
Path to kubelet configuration was accidentally prefixed with a dollar
symbol (probably as a result of copying some other test that used
variable name).
After removing the dollar sign from paths both checks pass on conforming
deployment.
 2018-10-24 17:06:21 -07:00
Liz Rice
64f4f638e9 Merge pull request #167 from aquasecurity/fix-issue-with-kubelet-config-and-unitfile-checks 
Fix issue with kubelet config and unitfile checks
 2018-10-23 14:45:19 +01:00
Abubakr-Sadik Nii Nai Davis
97623aea05 Update kubernetes node benchmark to check kubelet systemd unitfile. 
Also clean up the config file for 1.11 a bit.
 2018-10-23 02:30:08 +00:00
Abubakr-Sadik Nii Nai Davis
ed21839464 Add getServiceFiles function. 
The CIS benchmark check for node checks 2 config files for kubelet:
  - kubelet config file (kubelet.conf)
  - kubelet systemd unitfile (10-kubeadm.conf)

The getServiceFiles function gets candidates for kubelet systemd
unitfile and returns valid untifiles.
 2018-10-23 02:26:38 +00:00
Liz Rice
277ec9c823 Merge pull request #163 from noqcks/master 
Update tests for Kubernetes 1.11 - thank you @noqcks!
 2018-10-13 22:09:24 +01:00
Abubakr-Sadik Nii Nai Davis
b1369832bc A few corrections to node tests. (#2) 
* Add a few corrections.

* Add a few corrections to node test file.
 2018-10-13 15:48:50 -04:00
Abubakr-Sadik Nii Nai Davis
934b4aef96 Add a few corrections. (#1) 2018-10-12 10:22:08 -04:00
noqcks
e85de9e8af fix simple errors 2018-10-09 19:16:08 -04:00
noqcks
ded5aff482 update README 2018-10-09 18:58:30 -04:00
noqcks
b3a115963b adding 1.11 config and node checks 2018-10-09 18:57:37 -04:00
noqcks
e5c05a97f7 updating README with 1.11 updates 2018-10-09 18:56:48 -04:00
noqcks
ba5ec8d4be adding 1.11 master configuration 2018-10-09 18:34:52 -04:00
Liz Rice
d56afd4104 Merge pull request #159 from lukebond/master 
Update README.md
 2018-09-04 08:37:04 +01:00
Luke Bond
8894b1dc4f Update README.md 
Specify `-t` to get colour in the Docker output.
Added a note about mounting kubectl or kubelet to get the version.
 2018-09-03 23:05:48 +01:00
Liz Rice
ff59938f94 Merge pull request #155 from bvwells/cis-benchmark-link 
Add link to CIS kubernetes benchmark
 2018-08-20 09:14:37 +01:00
bvwells
cc43fcbb7e Add link to CIS kubernetes benchmark 2018-08-10 20:55:02 +01:00
Liz Rice
2f4f55a363 Merge pull request #149 from aquasecurity/itai_cis_results 
Support actual result in json output.
 2018-07-31 18:18:51 +01:00
Itai Ben-Natan
e9076233dd Support actual result in json output. 
This commit adds the actual value of the result
of the value which was returned by the test.
 2018-07-30 14:19:18 +00:00
Liz Rice
b1e41d345f Merge pull request #147 from aquasecurity/version-fix 
Shouldn't need kubelet or kubectl if version specified
 2018-07-28 14:53:56 +01:00
Liz Rice
ccc2b6c9ae Shouldn't need kubelet or kubectl if version specified 2018-07-26 12:03:09 +01:00
Liz Rice
668a9e10ce Merge pull request #141 from aquasecurity/version-default 
Default version
 2018-07-02 15:36:31 +01:00
Liz Rice
8c3bb62dd4 Merge pull request #140 from aquasecurity/manifest-extension 
Inlcude .manifest extension config files for kops & kubespray
 2018-07-02 15:34:49 +01:00
Liz Rice
9d0141871a Use new utility function for finding correct config files. 
Improve order of message output
Remove unnecessary local variable
 2018-06-29 12:20:29 +01:00
Liz Rice
344d2bfd24 Utility for getting the right config file for the Kubernetes version 2018-06-29 12:19:34 +01:00
Liz Rice
ecd14ed682 File substitutions should be a detailed log 2018-06-29 12:19:00 +01:00
Liz Rice
223ac14642 Don't override version specified on command line 2018-06-29 10:35:44 +01:00
Liz Rice
c44e0db97b Inlcude .manifest extension config files for kops & kubespray 2018-06-29 10:24:09 +01:00
Liz Rice
0bc004468b Include .manifest extensions as an option for config files (as used by kops and kubespreay) 2018-06-29 10:23:06 +01:00
Liz Rice
83704a7d89 Merge pull request #134 from hutr/master 
fix grep string for check 1.4.11 and 1.4.12
 2018-06-18 08:44:13 -07:00
Liz Rice
024b7ed396 Merge branch 'master' into master 2018-06-18 08:30:24 -07:00
Liz Rice
c5e04677cf Merge pull request #138 from jgsqware/patch-1 
Rule node 2.2.4 is not correct
 2018-06-18 08:28:38 -07:00
Julien Garcia Gonzalez
2073e08363 update 2.2.4 rules 2018-06-18 13:44:25 +02:00
Julien Garcia Gonzalez
db096c9f51 Rule node 2.2.4 is not correct 2018-06-15 15:49:55 +02:00
hutr
d736d10f90 fix sed string for 1.4.12 2018-06-07 16:34:03 +02:00
hutr
50a3725ff2 Merge branch 'master' into master 2018-06-07 16:12:04 +02:00
hutr
468f5fac6e changes for 1.4.11 and 1.4.2 
added tests: for 1.4.11 and removed grep -v grep for both
 2018-06-07 16:08:43 +02:00
Liz Rice
3408e0f865 Merge pull request #135 from mirwan/node_2.2.6_audit_field 
Addition of missing audit field in 2.2.6 node item
 2018-06-07 13:33:50 +01:00
Erwan Miran
182e9b5e01 Addition of missing audit field in 2.2.6 node item 2018-06-05 15:27:20 +02:00
hutr
e4100a4435 fixed grep string for 1.4.11 and 1.4.22 
check 1.4.11 and 1.4.22 FAIL even when permissions is correct.
 2018-05-28 15:39:07 +02:00
Liz Rice
b502d09f8b Merge pull request #132 from wmedlar/issue-116 
Migrate dependency management to dep
 2018-05-18 10:03:47 +01:00
Will Medlar
6c7422a938 Migrate dependency management to dep 2018-05-16 18:16:41 -05:00
Liz Rice
82b1e05a32 Merge pull request #131 from philalex/fixBooleansComparaison-issue125 
Fix booleans comparaison issue125
 2018-05-15 11:57:44 +01:00
Liz Rice
97e5bc9b97 Merge branch 'master' into fixBooleansComparaison-issue125 2018-05-15 11:42:21 +01:00
Liz Rice
c0d80b4669 Merge pull request #130 from aquasecurity/fix-typo 
A bunch of text edits
 2018-05-15 11:41:51 +01:00
Philippe ALEXANDRE
7b61cf60fe Add strings.ToLower ... 2018-05-15 11:52:49 +02:00
Philippe ALEXANDRE
c4e7487ba7 Do case insensitive comparaison for booleans - Fix #125 2018-05-15 11:48:49 +02:00
Abubakr-Sadik Nii Nai Davis
6d237607fb Fix typo in help text. 2018-05-15 04:50:39 +00:00
Abubakr-Sadik Nii Nai Davis
b4b3ebe99c Add instruction for running kube-bench against a kubernetes cluster. 
#218
 2018-05-15 04:40:41 +00:00
Abubakr-Sadik Nii Nai Davis
609335510a Remove kube-bench --help output. 
It has grown stale and no longer reflects the supported options, and can be misleading (see #127).
 2018-05-15 04:24:33 +00:00
Abubakr-Sadik Nii Nai Davis
5da707b8d6 Remove CIS benchmark version in tool title. 
it has grown stale and is dependent on k8s version we are checking.
 2018-05-15 04:23:39 +00:00
Abubakr-Sadik Nii Nai Davis
b10b2bd22e Merge branch 'master' into fix-typo 2018-05-15 04:09:27 +00:00
Abubakr-Sadik Nii Nai Davis
aa9da13226 Fix a bunch of typos. 2018-05-15 04:08:44 +00:00
Liz Rice
c13632318e Merge pull request #122 from wmedlar/bugfix/docker-entrypoint-fail-on-error 
Fail fast in container entrypoint
 2018-05-11 20:13:58 +01:00
Liz Rice
b649cef047 Merge branch 'master' into bugfix/docker-entrypoint-fail-on-error 2018-05-11 19:58:35 +01:00
Liz Rice
056da1b28d Merge pull request #124 from aquasecurity/travis-docker 
Adding a test install to travis job
 2018-05-11 19:58:05 +01:00
Liz Rice
9810bafabe Adding a test install to travis job 2018-05-11 19:49:11 +01:00
Liz Rice
5eb4ab7479 Merge branch 'master' into bugfix/docker-entrypoint-fail-on-error 2018-05-11 19:25:38 +01:00
Liz Rice
9f5c856206 Merge pull request #123 from Tenzer/add-info-about-version-flag 
Add tip about the `--version` flag to error output
 2018-05-11 19:25:06 +01:00
Jeppe Fihl-Pearson
39d94df81b Add tip about the --version flag to error output 
If people are trying to use the Docker image to check their cluster, there's a
big likelyhood of them hitting the error message saying that either `kubectl`
or `kubelet` need to be found in order for `kube-bench` to be able to determine
the Kubernetes version in use.

This adds a tip that the version can be specified manually with the `--version`
flag which is a lot easier than having to make a new Docker image with the
right version of `kubelet`/`kubectl` in order for `kube-bench` to work.
 2018-05-11 18:58:24 +01:00
Will Medlar
7823ca388c Set -e to fail fast 2018-05-11 13:44:04 -04:00
Liz Rice
b3fc84277d Merge pull request #121 from aquasecurity/request-timeout 
--request-timeout is a duration
 2018-05-11 16:20:40 +01:00
Liz Rice
863a643adb Merge branch 'master' into request-timeout 2018-05-11 16:13:12 +01:00
Liz Rice
1935c952d6 --request-timeout is a duration 2018-05-11 16:03:03 +01:00
Liz Rice
5be0a9fbdf Merge pull request #119 from aquasecurity/fix-install 
Script needs to actually install kube-bench & its config
 2018-05-11 15:45:14 +01:00
Liz Rice
b26b23e573 Script needs to actually install kube-bench & its config! 2018-05-11 15:39:11 +01:00
Liz Rice
3ee43235b5 Merge pull request #117 from aquasecurity/lizrice-patch-1 
Add link to releases page
 2018-05-11 15:33:19 +01:00
Liz Rice
7460037528 Add link to releases page 2018-05-11 12:47:04 +01:00
Liz Rice
479469b3ec Merge pull request #115 from wmedlar/feature/running-in-docker 
Allow kube-bench to be run from inside its container
 2018-05-11 12:38:18 +01:00
Will Medlar
0c52ace48f Install binary and configs as the default behavior 2018-05-06 21:18:47 -05:00
Will Medlar
3eb8a08a9d Freeze alpine to tag 3.7 2018-05-06 21:17:38 -05:00
Will Medlar
1cff0c4da1 Clarify that only Linux is supported when installing from container 2018-05-06 14:01:49 -05:00
Will Medlar
0714683371 Modify entrypoint to allow execution of kube-bench as default 2018-05-06 13:57:58 -05:00
Will Medlar
3560bbbbfa Allow kube-bench to be run inside its distribution container 2018-05-06 13:35:23 -05:00
Liz Rice
67786fd3ef Merge pull request #111 from aquasecurity/logo 
Add logo
 2018-04-20 13:31:48 +01:00
Liz Rice
033245f71c logo in svg format 2018-04-20 13:18:55 +01:00
Liz Rice
cb4bec9120 logo instead of heading 2018-04-20 13:07:49 +01:00
Liz Rice
f065893f52 Add logo to readme 2018-04-20 13:05:30 +01:00
Liz Rice
5ee7c1b0db kube-bench logo 2018-04-20 13:02:22 +01:00
Liz Rice
ec51a4eabb Merge pull request #108 from wmedlar/feature/issue-107 
Allow kubernetes version and config directory to be specified (resolves #107). Thank you @wmedlar!
 2018-04-16 17:17:45 +01:00
Liz Rice
0b4872104d Merge branch 'master' into feature/issue-107 2018-04-16 17:15:30 +01:00
Liz Rice
46bbcdd9bc Merge pull request #106 from aquasecurity/additional-flags 
Add extra output manipulation flags
 2018-04-15 19:17:43 +02:00
Will Medlar
9469b1c124 Allow kubernetes version and config directory to be specified (resolves #107) 2018-04-12 15:01:58 -04:00
Abubakr-Sadik Nii Nai Davis
ade064006e Add extra output manipulation flags, --noremediations, --nosummary and 
--noresults.

These flags disable printing sections of the final output of kube-bench.
 2018-04-10 20:01:47 +00:00
Liz Rice
ef6c017f54 Merge pull request #104 from aquasecurity/update-goreleaser 
Add homepage to goreleaser config to fix build
 2018-04-04 15:02:41 +01:00
Liz Rice
b587e7a996 Add homepage to goreleaser config to fix build 2018-04-04 14:57:28 +01:00
Liz Rice
bad3508ba3 Merge pull request #102 from aquasecurity/update-goreleaser 
Update to nfpm as fpm is deprecated
 2018-04-04 14:01:17 +01:00
Liz Rice
0d84dc4d42 Update to nfpm as fpm is deprecated 2018-04-04 11:31:47 +01:00
Liz Rice
51212b861f Merge pull request #101 from aquasecurity/version-fallback2 
Use 1.8 tests for k8s 1.9 and 1.10
 2018-04-04 10:54:55 +01:00
Liz Rice
728cb0765f Use 1.8 tests for k8s 1.9 and 1.10 2018-04-04 10:49:05 +01:00
Liz Rice
d846b221e5 Merge pull request #100 from philalex/use_kubelet 
Use kubelet
 2018-04-04 08:58:56 +01:00
Philippe ALEXANDRE
f091c8adea Remove the old lines of fmt.Sprintf in cmd/common.go 2018-03-27 15:33:01 +02:00
Philippe ALEXANDRE
d6c16f7563 Try to use kubelet when kubectl is unavailable 2018-03-23 09:29:17 +01:00
Philippe ALEXANDRE
c86d0ff81b Replace fmt.Sprintf by filepath.Join 2018-03-23 09:27:48 +01:00
Liz Rice
c808d9527d Merge pull request #96 from clemensw/patch-1 
Update README.md to reflect that the --installation option has been r…
 2018-02-23 17:17:28 +00:00
clemensw
95769cae83 Update README.md to reflect that the --installation option has been removed. 2018-02-23 17:12:52 +01:00
Liz Rice
1f52a13400 Merge pull request #94 from jaxxstorm/test_updates 
Test fixes for 1.8
 2018-01-30 19:58:12 +00:00
Liz Rice
7f41564a62 Merge branch 'master' into test_updates 2018-01-30 19:50:13 +00:00
Liz Rice
8c56ca650a Merge pull request #84 from jaxxstorm/u/jaxxstorm/golint 
Lint all code for golint tests
 2018-01-30 19:49:58 +00:00
Liz Rice
58b6358a02 Merge branch 'master' into u/jaxxstorm/golint 2018-01-30 19:46:44 +00:00
Liz Rice
731fcb4437 Merge pull request #95 from jaxxstorm/docker_remove 
Remove docker build
 2018-01-30 19:33:37 +00:00
Lee Briggs
fe23f8140a Remove docker build 2018-01-30 11:16:53 -08:00
Lee Briggs
d464ab5639 Wrong configuration file 2018-01-30 09:49:41 -08:00
Lee Briggs
165444df60 Test fixes for 1.8 2018-01-30 09:28:20 -08:00
Liz Rice
18032b22eb Merge pull request #91 from aquasecurity/lizrice-patch-1 
Fix build
 2018-01-30 17:13:42 +00:00
Liz Rice
c389d6ecf2 Fix build 
Copy the cfg files and entrypoint.sh from the first stage of the multistage build
 2018-01-30 16:56:23 +00:00
Liz Rice
4f07b01ead Merge pull request #83 from jaxxstorm/u/jaxxstorm/goreleaser 
Add goreleaser configuration
 2018-01-30 09:24:07 +00:00
Lee Briggs
e0a032dfbb Merge remote-tracking branch 'upstream/master' into u/jaxxstorm/goreleaser 2018-01-26 11:43:20 -08:00
Liz Rice
0c309bc1d4 Merge pull request #90 from jhvhs/master 
Improve etcd data directory extraction
 2018-01-25 13:16:32 +00:00
Liz Rice
4b1b2b8762 Merge branch 'master' into master 2018-01-25 13:13:57 +00:00
Liz Rice
4f90a1361c Merge pull request #68 from aquasecurity/unnecessary-warning 
Improves the way we get config & binary file names for different installation methods.
 2018-01-25 13:12:30 +00:00
Liz Rice
fc4fe38bc2 Merge branch 'master' into unnecessary-warning 2018-01-25 13:01:48 +00:00
Konstantin Semenov
961dbeb2b5 Correct sed regex 2018-01-25 00:34:52 +00:00
Konstantinos Karampogias
8fc6904093 Improve etcd data directory extraction 
- If data-dir is not the last argument, the remaining arguments
  are captured preventing the correct checking.

Signed-off-by: Konstantin Semenov <ksemenov@pivotal.io>
 2018-01-24 14:17:45 +00:00
Liz Rice
be0134de95 Merge pull request #89 from aquasecurity/issue-88 
Fix etcd tests fail because kube-bench expects flags to be set with equal sign
 2018-01-19 11:44:17 +00:00
Abubakr-Sadik Nii Nai Davis
7fcfb0cf30 Fix issue with etcd checks failing because of using " " instead of "=" to specify value. 
This issue affects master checks 1.4.11 and 1.4.12.
 2018-01-18 14:41:46 +00:00
Liz Rice
c9227c0eea Merge branch 'master' into unnecessary-warning 2018-01-15 11:30:25 +00:00
jerbia
850cde23e9 Added travis token (#87) 2018-01-15 01:24:42 +02:00
jerbia
cbe02e1d5e Fixed typo in entrypoint.sh (#86) 
The entrypoint.sh had a typo where it tried coping files from "/kube-bench" instead of just "/".
 2018-01-15 00:59:27 +02:00
Lee Briggs
f63cd11807 Fix docker repo path 2018-01-12 08:54:39 -08:00
Lee Briggs
94a1f3c41f Lint all code for golint tests 2018-01-11 10:01:58 -08:00
Lee Briggs
3dd5db693d Add goreleaser configuration 2018-01-11 09:48:57 -08:00
Liz Rice
e7152265eb Merge pull request #82 from aquasecurity/lizrice-patch-1 
Minor format update to readme
 2018-01-11 19:20:49 +02:00
Liz Rice
1e25e089d0 Minor format update to readme 2018-01-11 16:54:40 +00:00
Liz Rice
b42f2ba39e Merge branch 'master' into unnecessary-warning 2018-01-11 18:48:15 +02:00
Liz Rice
22e46990db Merge pull request #81 from jaxxstorm/u/jaxxstorm/deps 
Add glide dependencies
 2018-01-11 18:47:52 +02:00
Lee Briggs
216b1d497a Fix glide install instructions 2018-01-11 08:23:46 -08:00
Lee Briggs
033ab5638c Add glide dependencies 
Also update build from source instructions
 2018-01-09 12:54:18 -08:00
Liz Rice
94b960cfad Merge pull request #75 from nuwaida/master 
Result structure changes
 2017-11-29 18:40:37 +00:00
nazemu
017a9836ce Result structure changes 
Changes to the json structure and field names
 2017-11-29 19:04:05 +02:00
Liz Rice
a863cf87ca Merge pull request #74 from aquasecurity/multistage 
Multistage build
 2017-11-29 11:30:22 +00:00
Abubakr-Sadik Nii Nai Davis
64aaef7997 Fixed expected return for getKubeVersion. 2017-11-28 17:47:57 +00:00
Abubakr-Sadik Nii Nai Davis
53eb720952 Merge branch 'master' into unnecessary-warning 2017-11-28 17:44:53 +00:00
Abubakr-Sadik Nii Nai Davis
04f044e3b9 Add support for merging general and kubernetes version specific config files. 
This change unifies all config files, podspecs and unitfiles under
a single component configuration key; `config`.
 2017-11-28 17:38:34 +00:00
Liz Rice
7b538ed6e4 Multistage build 2017-11-27 11:51:20 +00:00
Liz Rice
778c662055 Merge pull request #69 from aquasecurity/fix-kubeversion-fail 
Exit kube-bench if we can't get valid kubernetes server version
 2017-11-21 13:25:11 +00:00
Liz Rice
97485419e2 Can't run kubectl on Travis so I don't know how this test ever worked 2017-11-21 13:21:47 +00:00
Liz Rice
730871f330 Fix kubeVersion regex tests 2017-11-21 13:19:09 +00:00
Abubakr-Sadik Nii Nai Davis
471c02f4d7 Merge branch 'fix-kubeversion-fail' of github.com:aquasecurity/kube-bench into fix-kubeversion-fail 2017-11-21 12:20:22 +00:00
Abubakr-Sadik Nii Nai Davis
c93c94b3f6 Fix version check regexp. 2017-11-21 12:20:02 +00:00
Liz Rice
1d7df75f57 Merge branch 'master' into fix-kubeversion-fail 2017-11-16 10:00:46 +02:00
Abubakr-Sadik Nii Nai Davis
c60c459bc4 Fix bug causing kubectl version to always return default version. 2017-11-14 22:27:55 +00:00
Liz Rice
4907843b7b Merge pull request #71 from aquasecurity/lizrice-patch-2 
Correct test config file typo
 2017-11-14 18:12:25 +02:00
Liz Rice
d52e326147 Correct test config file typo 2017-11-14 18:05:40 +02:00
Abubakr-Sadik Nii Nai Davis
42a1068964 Add default version if version check fails. 2017-11-13 15:25:34 +00:00
Abubakr-Sadik Nii Nai Davis
f90dd925b8 Exit kube-bench if we can't get valid kubernetes server version and 
improve error messages.
 2017-11-03 13:11:10 +00:00
Abubakr-Sadik Nii Nai Davis
31b5910a7f Remove unnecessary warnings about missing config files. 2017-11-03 10:41:01 +00:00
Liz Rice
85fb818e41 Merge pull request #67 from aquasecurity/config-spacing 
Remove odd spacing and line breaks from test config files
 2017-11-02 11:14:03 +00:00
Liz Rice
2eb261b94f Remove odd spacing and line breaks from test config files 2017-11-02 09:51:03 +00:00
Liz Rice
732b987d6d Merge pull request #61 from bitvector2/master 
added saving results to PostgreSQL DB as a JSONB document
 2017-11-02 08:34:13 +00:00
Steven Logue
909e6cc874 created database.go file and moved DB function into it 2017-11-01 10:15:31 -07:00
Liz Rice
1b13375ff7 Merge branch 'master' into master 2017-11-01 15:06:40 +00:00
Liz Rice
bdb5ccf982 Merge pull request #64 from aquasecurity/lizrice-patch-1 
Update README for Kubernetes 1.8 support
 2017-11-01 15:06:20 +00:00
Liz Rice
83e58b86db Update README for Kubernetes 1.8 support 2017-11-01 15:04:25 +00:00
Liz Rice
1faeb55b67 Merge branch 'master' into master 2017-11-01 14:46:48 +00:00
Steven Logue
f7d4f03f48 fixed typo in makefile 2017-10-31 13:12:20 -07:00
Steven Logue
d79a2a5478 added support for saving scan results to pgsql 2017-10-31 13:08:46 -07:00
47 changed files with 7869 additions and 508 deletions
Expand all files Collapse all files

4
.gitignore vendored
View File

@@ -1,2 +1,6 @@
kube-bench
*.swp
vendor
dist
.vscode/
hack/kind.test.yaml

19
.goreleaser.yml Normal file
View File

@@ -0,0 +1,19 @@
builds:
- main: main.go
binary: kube-bench
goos:
- darwin
- linux
goarch:
- amd64
# Archive customization
archive:
format: tar.gz
nfpm:
vendor: Aqua Security
description: "The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed according to security best practices"
license: Apache-2.0
homepage: https://github.com/aquasecurity/kube-bench
formats:
- deb
- rpm

33
.travis.yml
View File

@@ -1,6 +1,33 @@
---
language: go
install:
- go get github.com/aquasecurity/kube-bench
sudo: required
services:
- docker
notifications:
email: false
before_install:
- sudo apt-get -qq update
- sudo apt-get install -y rpm
- gem install --no-ri --no-rdoc fpm
install:
- go get -v github.com/golang/dep/cmd/dep
- dep ensure -v -vendor-only
script:
- go test ./...
- go build -o kube-bench .
- docker build --tag kube-bench .
- docker run -v `pwd`:/host kube-bench install
- test -d cfg
- test -f kube-bench
after_success:
- test -n "$TRAVIS_TAG" && curl -sL https://git.io/goreleaser | bash
env:
global:
secure: mb8AYZKDo6hkKN+2F9ldXcw27Yn2AfxpXvKlD8GD7NdGOI+TaiSFbE0I+qqTa/1DqcRekCQwqN7OG/17s9JDkgzUXYuYUGlVUOM4WbeJoSlzJFIOh9r9R/JddluYJohypgkE20IBHIrEHq5sY0Nn1Pl9WgSQFaVcQjxkX009AOuVjN0o5HcoXsb5hAzvHrpoSPkcSSqq7VWab60TgUttVaRlZSGwGdSYQEqk5TdO0hWHuXyxaaEPybgFIyZLLbxPS4JmMz8n3Sngetpw9Jgc+V9Fc7wKXpjvZZ33SpArG5p5ZFFu2YQOXFLZth9qtQOjduQ2gU1kHN6WjWnJ8QX2s8vmU38Tk19kd5i+mz9dvc87IdBvmTIqVYSpM6AAYa2osBGP3f97Rj2S68lTad4ecSVyHdsjz56vdE3ZH4wskswmogbKkVdvO4biPHxT6odszBxYLEJuRJyZ7ckXd52MCzqAUPrw7YUuH8N1mLIlf7V5bW5R+q4DlKw774zxnHiWrymXGvlINSrB0qxBn8Fii6ib+Pacl3PuqSumCcgIHlVjqrzIXaqcTMn2/ABZYC99mralGvwA/EgNa8CBKB5evMCEwWa5Ntvcs2I2DFcO5Q2WzN4H0YScyAzzCzK7/3hWJE/rUIJntwiSXkV3MSa1yxWSGGH8F1lcz+lzgTBm/MU=

27
Dockerfile
View File

@@ -1,13 +1,22 @@
FROM golang:1.8
WORKDIR /kube-bench
RUN go get github.com/aquasecurity/kube-bench
RUN cp /go/bin/kube-bench /kube-bench/ && chmod +x /kube-bench/kube-bench
RUN cp -r /go/src/github.com/aquasecurity/kube-bench/cfg cfg
FROM golang:1.9 AS build
WORKDIR /go/src/github.com/aquasecurity/kube-bench/
ADD Gopkg.toml Gopkg.lock ./
RUN go get -v github.com/golang/dep/cmd/dep && dep ensure -v -vendor-only
ADD main.go .
ADD check/ check/
ADD cmd/ cmd/
RUN CGO_ENABLED=0 go install -a -ldflags '-w'
# When Docker Hub supports it, we would split this into a multi-stage build with the second part based on, say, alpine for size
WORKDIR /
ADD entrypoint.sh /entrypoint.sh
ENTRYPOINT /entrypoint.sh
FROM alpine:3.7 AS run
WORKDIR /opt/kube-bench/
# add GNU ps for -C, -o cmd, and --no-headers support
# https://github.com/aquasecurity/kube-bench/issues/109
RUN apk --no-cache add procps
COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
ADD entrypoint.sh .
ADD cfg/ cfg/
ENTRYPOINT ["./entrypoint.sh"]
CMD ["install"]
# Build-time metadata as defined at http://label-schema.org
ARG BUILD_DATE

205
Gopkg.lock generated Normal file
View File

@@ -0,0 +1,205 @@
# This file is autogenerated, do not edit; changes may be undone by the next 'dep ensure'.
[[projects]]
digest = "1:938a2672d6ebbb7f7bc63eee3e4b9464c16ffcf77ec8913d3edbf32b4e3984dd"
name = "github.com/fatih/color"
packages = ["."]
pruneopts = "UT"
revision = "570b54cabe6b8eb0bc2dfce68d964677d63b5260"
version = "v1.5.0"
[[projects]]
digest = "1:38c783cf85b9454cc02a1a8319239800ed0af6c1c864adf19cea0539e134adad"
name = "github.com/fsnotify/fsnotify"
packages = ["."]
pruneopts = "UT"
revision = "4da3e2cfbabc9f751898f250b49f2439785783a1"
[[projects]]
branch = "master"
digest = "1:1ba1d79f2810270045c328ae5d674321db34e3aae468eb4233883b473c5c0467"
name = "github.com/golang/glog"
packages = ["."]
pruneopts = "UT"
revision = "23def4e6c14b4da8ac2ed8007337bc5eb5007998"
[[projects]]
digest = "1:145eff5207977eb95c3649a27cdc2e467d8a1c104810bc12b6a53745a91d823a"
name = "github.com/hashicorp/hcl"
packages = [
".",
"hcl/ast",
"hcl/parser",
"hcl/scanner",
"hcl/strconv",
"hcl/token",
"json/parser",
"json/scanner",
"json/token",
]
pruneopts = "UT"
revision = "23c074d0eceb2b8a5bfdbb271ab780cde70f05a8"
[[projects]]
digest = "1:870d441fe217b8e689d7949fef6e43efbc787e50f200cb1e70dbca9204a1d6be"
name = "github.com/inconshreveable/mousetrap"
packages = ["."]
pruneopts = "UT"
revision = "76626ae9c91c4f2a10f34cad8ce83ea42c93bb75"
version = "v1.0"
[[projects]]
digest = "1:510a2b056950ed12b4f3ac704ee1b34fd1920cb5b26f60f98d069de89c60adb7"
name = "github.com/jinzhu/gorm"
packages = [
".",
"dialects/postgres",
]
pruneopts = "UT"
revision = "5174cc5c242a728b435ea2be8a2f7f998e15429b"
version = "v1.0"
[[projects]]
digest = "1:2cf1e05311b662e68d938f6655c6c5a44ae0e6b3995e390c75fcd8224afa48df"
name = "github.com/jinzhu/inflection"
packages = ["."]
pruneopts = "UT"
revision = "1c35d901db3da928c72a72d8458480cc9ade058f"
[[projects]]
digest = "1:38dd5cee5306173bfe78f8c401edec1e08f772551bee95a85617b4e39347e366"
name = "github.com/lib/pq"
packages = [
".",
"hstore",
"oid",
]
pruneopts = "UT"
revision = "83612a56d3dd153a94a629cd64925371c9adad78"
[[projects]]
digest = "1:9cbfcfd1ec741817698b844d17b523f54682a5f7c8683b1ec62b6b6542143240"
name = "github.com/magiconair/properties"
packages = ["."]
pruneopts = "UT"
revision = "49d762b9817ba1c2e9d0c69183c2b4a8b8f1d934"
[[projects]]
digest = "1:31fcf8f5f8f6cc36ef11182c0a0f63ba464e1a7ad9f0e92a7cf46f38bfc0adfd"
name = "github.com/mattn/go-colorable"
packages = ["."]
pruneopts = "UT"
revision = "5411d3eea5978e6cdc258b30de592b60df6aba96"
[[projects]]
digest = "1:fa610f9fe6a93f4a75e64c83673dfff9bf1a34bbb21e6102021b6bc7850834a3"
name = "github.com/mattn/go-isatty"
packages = ["."]
pruneopts = "UT"
revision = "57fdcb988a5c543893cc61bce354a6e24ab70022"
[[projects]]
digest = "1:56a0bd1a1f3809171d1abe0bfd389558be0cd672e858e1f831b88f806aa8764f"
name = "github.com/mitchellh/mapstructure"
packages = ["."]
pruneopts = "UT"
revision = "06020f85339e21b2478f756a78e295255ffa4d6a"
[[projects]]
digest = "1:128af710970a788bb2348dbcdde6b86fa41f92086297f909d659b6d3affc2902"
name = "github.com/pelletier/go-toml"
packages = ["."]
pruneopts = "UT"
revision = "0131db6d737cfbbfb678f8b7d92e55e27ce46224"
[[projects]]
digest = "1:1fccaaeae58b2a2f1af4dbf7eee92ff14f222e161d143bfd20082ef664f91216"
name = "github.com/spf13/afero"
packages = [
".",
"mem",
]
pruneopts = "UT"
revision = "57afd63c68602b63ed976de00dd066ccb3c319db"
[[projects]]
digest = "1:9b28ee2984c69d78afe2ce52b1650ba91a6381f355ff08c1d0e53d9e66bd62fe"
name = "github.com/spf13/cast"
packages = ["."]
pruneopts = "UT"
revision = "acbeb36b902d72a7a4c18e8f3241075e7ab763e4"
version = "v1.1.0"
[[projects]]
digest = "1:7ffc0983035bc7e297da3688d9fe19d60a420e9c38bef23f845c53788ed6a05e"
name = "github.com/spf13/cobra"
packages = ["."]
pruneopts = "UT"
revision = "7b2c5ac9fc04fc5efafb60700713d4fa609b777b"
version = "v0.0.1"
[[projects]]
digest = "1:9f28b7e326b8cd1db556678b7ce679cf9bf888647e40922f91d9d40f451f942b"
name = "github.com/spf13/jwalterweatherman"
packages = ["."]
pruneopts = "UT"
revision = "12bd96e66386c1960ab0f74ced1362f66f552f7b"
[[projects]]
digest = "1:772bf4d1907ccb275aaa532ec6cb0d85fc61bd05648af28551590af3ea4e2d53"
name = "github.com/spf13/pflag"
packages = ["."]
pruneopts = "UT"
revision = "4c012f6dcd9546820e378d0bdda4d8fc772cdfea"
[[projects]]
digest = "1:f8e1a678a2571e265f4bf91a3e5e32aa6b1474a55cb0ea849750cc177b664d96"
name = "github.com/spf13/viper"
packages = ["."]
pruneopts = "UT"
revision = "25b30aa063fc18e48662b86996252eabdcf2f0c7"
version = "v1.0.0"
[[projects]]
digest = "1:c9c0ba9ea00233c41b91e441cfd490f34b129bbfebcb1858979623bd8de07f72"
name = "golang.org/x/sys"
packages = ["unix"]
pruneopts = "UT"
revision = "e24f485414aeafb646f6fca458b0bf869c0880a1"
[[projects]]
digest = "1:8029e9743749d4be5bc9f7d42ea1659471767860f0cdc34d37c3111bd308a295"
name = "golang.org/x/text"
packages = [
"internal/gen",
"internal/triegen",
"internal/ucd",
"transform",
"unicode/cldr",
"unicode/norm",
]
pruneopts = "UT"
revision = "e19ae1496984b1c655b8044a65c0300a3c878dd3"
[[projects]]
digest = "1:cb130999076da4717267c51235d62b63228c330ad86160255cbe3276de4c9892"
name = "gopkg.in/yaml.v2"
packages = ["."]
pruneopts = "UT"
revision = "c95af922eae69f190717a0b7148960af8c55a072"
[solve-meta]
analyzer-name = "dep"
analyzer-version = 1
input-imports = [
"github.com/fatih/color",
"github.com/golang/glog",
"github.com/jinzhu/gorm",
"github.com/jinzhu/gorm/dialects/postgres",
"github.com/spf13/cobra",
"github.com/spf13/viper",
"gopkg.in/yaml.v2",
]
solver-name = "gps-cdcl"
solver-version = 1

23
Gopkg.toml Normal file
View File

@@ -0,0 +1,23 @@
[[constraint]]
name = "github.com/fatih/color"
version = "1.5.0"
[[constraint]]
branch = "master"
name = "github.com/golang/glog"
[[constraint]]
name = "github.com/jinzhu/gorm"
version = "1.0.0"
[[constraint]]
name = "github.com/spf13/cobra"
version = "0.0.1"
[[constraint]]
name = "github.com/spf13/viper"
version = "1.0.0"
[prune]
go-tests = true
unused-packages = true

5
NOTICE Normal file
View File

@@ -0,0 +1,5 @@
kube-bench
Copyright 2017-2019 Aqua Security Software Ltd.
This product includes software developed by Aqua Security (https://aquasec.com).

173
README.md
View File

@@ -3,54 +3,133 @@
[![Docker image](https://images.microbadger.com/badges/image/aquasec/kube-bench.svg)](https://microbadger.com/images/aquasec/kube-bench "Get your own image badge on microbadger.com")
[![Source commit](https://images.microbadger.com/badges/commit/aquasec/kube-bench.svg)](https://microbadger.com/images/aquasec/kube-bench)
# kube-bench
<img src="images/kube-bench.png" width="200" alt="kube-bench logo">
The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.
kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/).
Tests are configured with YAML files, making this tool easy to update as test specifications evolve.
Tests are configured with YAML files, making this tool easy to update as test specifications evolve.
![Kubernetes Bench for Security](https://raw.githubusercontent.com/aquasecurity/kube-bench/master/images/output.png "Kubernetes Bench for Security")
## CIS Kubernetes Benchmark support
kube-bench supports the tests for Kubernetes as defined in the CIS Benchmarks 1.0.0 to 1.4.0 respectively.
| CIS Kubernetes Benchmark | kube-bench config | Kubernetes versions |
|---|---|---|
| 1.0.0| 1.6 | 1.6 |
| 1.1.0| 1.7 | 1.7 |
| 1.2.0| 1.8 | 1.8-1.10 |
| 1.3.0| 1.11 | 1.11-1.12 |
| 1.4.0| 1.13 | 1.13- |
By default kube-bench will determine the test set to run based on the Kubernetes version running on the machine.
## Installation
You can either install kube-bench through a dedicated container, or compile it from source:
You can choose to
* run kube-bench from inside a container (sharing PID namespace with the host)
* run a container that installs kube-bench on the host, and then run kube-bench directly on the host
* install the latest binaries from the [Releases page](https://github.com/aquasecurity/kube-bench/releases),
* compile it from source.
1. Container installation:
Run ```docker run --rm -v `pwd`:/host aquasec/kube-bench:latest```. This will copy the kube-bench binary and configuration to you host. You can then run ```./kube-bench <master|node>```.
### Running inside a container
2. Install from sources:
If Go is installed on the target machines, you can simply clone this repository and run as follows:
```go get github.com/aquasecurity/kube-bench```
```cp $GOROOT/bin/kube-bench .```
```./kube-bench <master|node>```
## Usage
```./kube-bench [command]```
You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace and mounting the `/etc` and `/var` directories where the configuration and other files are located on the host, so that kube-bench can check their existence and permissions.
```
Available Commands:
federated Run benchmark checks for a Kubernetes federated deployment.
help Help about any command
master Run benchmark checks for a Kubernetes master node.
node Run benchmark checks for a Kubernetes node.
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t aquasec/kube-bench:latest [master|node]
```
You can even use your own configs by mounting them over the default ones in `/opt/kube-bench/cfg/`
```
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest [master|node]
```
> Note: the tests require either the kubelet or kubectl binary in the path in order to know the Kubernetes version. You can pass `-v $(which kubectl):/usr/bin/kubectl` to the above invocations to resolve this.
### Running in a kubernetes cluster
You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored.
Master nodes are automatically detected by kube-bench and will run master checks when possible.
The detection is done by verifying that mandatory components for master are running. (see [config file](#configuration).
The supplied `job.yaml` file can be applied to run the tests as a job. For example:
```bash
$ kubectl apply -f job.yaml
job.batch/kube-bench created
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
kube-bench-j76s9 0/1 ContainerCreating 0 3s
# Wait for a few seconds for the job to complete
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
kube-bench-j76s9 0/1 Completed 0 11s
# The results are held in the pod's logs
k logs kube-bench-j76s9
[INFO] 1 Master Node Security Configuration
[INFO] 1.1 API Server
...
```
You can still force to run specific master or node checks using respectively `job-master.yaml` and `job-node.yaml`.
To run the tests on the master node, the pod needs to be scheduled on that node. This involves setting a nodeSelector and tolerations in the pod spec.
The default labels applied to master nodes has changed since Kubernetes 1.11, so if you are using an older version you may need to modify the nodeSelector and tolerations to run the job on the master node.
### Installing from a container
This command copies the kube-bench binary and configuration files to your host from the Docker container:
** binaries compiled for linux-x86-64 only (so they won't run on OSX or Windows) **
```
docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install
```
You can then run `./kube-bench [master|node]`.
### Installing from sources
If Go is installed on the target machines, you can simply clone this repository and run as follows (assuming your [$GOPATH is set](https://github.com/golang/go/wiki/GOPATH)):
```shell
go get github.com/aquasecurity/kube-bench
go get github.com/golang/dep/cmd/dep
cd $GOPATH/src/github.com/aquasecurity/kube-bench
$GOPATH/bin/dep ensure -vendor-only
go build -o kube-bench .
# See all supported options
./kube-bench --help
# Run the all checks
./kube-bench
Flags:
-c, --check string A comma-delimited list of checks to run as specified in CIS document. Example --check="1.1.1,1.1.2"
--config string config file (default is ./cfg/config.yaml)
-g, --group string Run all the checks under this comma-delimited list of groups. Example --group="1.1"
--installation string Specify how kubernetes cluster was installed. Possible values are default,hyperkube,kops,kubeadm (default "default")
--json Prints the results as JSON
-v, --verbose verbose output (default false)
```
## Configuration
Kubernetes config and binary file locations and names can vary from installation to installation, so these are configurable in the `cfg/config.yaml` file.
For each type of node (*master*, *node* or *federated*) there is a list of components, and for each component there is a set of binaries (*bins*) and config files (*confs*) that kube-bench will look for (in the order they are listed). If your installation uses a different binary name or config file location for a Kubernetes component, you can add it to `cfg/config.yaml`.
Kubernetes config and binary file locations and names can vary from installation to installation, so these are configurable in the `cfg/config.yaml` file.
* **bins** - If there is a *bins* list for a component, at least one of these binaries must be running. The tests will consider the parameters for the first binary in the list found to be running.
* **confs** - If one of the listed config files is found, this will be considered for the test. Tests can continue even if no config file is found. If no file is found at any of the listed locations, and a *defaultconf* location is given for the component, the test will give remediation advice using the *defaultconf* location.
For each type of node (*master*, *node* or *federated*) there is a list of components, and for each component there is a set of binaries (*bins*) and config files (*confs*) that kube-bench will look for (in the order they are listed). If your installation uses a different binary name or config file location for a Kubernetes component, you can add it to `cfg/config.yaml`.
* **bins** - If there is a *bins* list for a component, at least one of these binaries must be running. The tests will consider the parameters for the first binary in the list found to be running.
* **podspecs** - From version 1.2.0 of the benchmark (tests for Kubernetes 1.8), the remediation instructions were updated to assume that the configuration for several kubernetes components is defined in a pod YAML file, and podspec settings define where to look for that configuration.
* **confs** - If one of the listed config files is found, this will be considered for the test. Tests can continue even if no config file is found. If no file is found at any of the listed locations, and a *defaultconf* location is given for the component, the test will give remediation advice using the *defaultconf* location.
* **unitfiles** - From version 1.2.0 of the benchmark (tests for Kubernetes 1.8), the remediation instructions were updated to assume that kubelet configuration is defined in a service file, and this setting defines where to look for that configuration.
## Output
There are three output states
- [PASS] and [FAIL] indicate that a test was run successfully, and it either passed or failed
- [WARN] means this test needs further attention, for example it is a test that needs to be run manually
- [INFO] is informational output that needs no further action.
## Test config YAML representation
The tests are represented as YAML documents (installed by default into ./cfg).
@@ -84,6 +163,20 @@ Recommendations (called `checks` in this document) can run on Kubernetes Master,
Checks are organized into `groups` which share similar controls (things to check for) and are grouped together in the section of the CIS Kubernetes document.
These groups are further organized under `controls` which can be of the type `master`, `node` or `federated apiserver` to reflect the various Kubernetes node types.
### Omitting checks
If you decide that a recommendation is not appropriate for your environment, you can choose to omit it by editing the test YAML file to give it the check type `skip` as in this example:
```yaml
checks:
- id: 2.1.1
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
type: "skip"
scored: true
```
No tests will be run for this check and the output will be marked [INFO].
## Tests
Tests are the items we actually look for to determine if a check is successful or not. Checks can have multiple tests, which must all be successful for the check to pass.
@@ -109,5 +202,21 @@ These operations are:
- `has`: tests if the flag value contains the compared value.
- `nothave`: tests if the flag value does not contain the compared value.
# Roadmap
The tests are up-to-date with the CIS Benchmark 1.1.0, which refers to Kubernetes 1.7. Going forward we should release updates to kube-bench to reflect new releases of the Benchmark, which in turn we can anticipate being made for each new Kubernetes release.
# Roadmap
Going forward we plan to release updates to kube-bench to add support for new releases of the Benchmark, which in turn we can anticipate being made for each new Kubernetes release.
We welcome PRs and issue reports.
# Testing locally with kind
Our makefile contains targets to test your current version of kube-bench inside a [Kind](https://kind.sigs.k8s.io/) cluster. This can be very handy if you don't want to run a real kubernetes cluster for development purpose.
First you'll need to create the cluster using `make kind-test-cluster` this will create a new cluster if it cannot be found on your machine. By default the cluster is named `kube-bench` but you can change the name by using the environment variable `KIND_PROFILE`.
*If kind cannot be found on your system the target will try to install it using `go get`*
Next you'll have to build the kube-bench docker image using `make build-docker`, then we will be able to push the docker image to the cluster using `make kind-push`.
Finally we can use the `make kind-run` target to run the current version of kube-bench in the cluster and follow the logs of pods created. (Ctrl+C to exit)
Everytime you want to test a change, you'll need to rebuild the docker image and push it to cluster before running it again. ( `make build-docker kind-push kind-run` )

29
cfg/1.11/config.yaml Normal file
View File

@@ -0,0 +1,29 @@
---
## Controls Files.
# These are YAML files that hold all the details for running checks.
#
## Uncomment to use different control file paths.
# masterControls: ./cfg/master.yaml
# nodeControls: ./cfg/node.yaml
# federatedControls: ./cfg/federated.yaml
master:
apiserver:
defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml
scheduler:
defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
controllermanager:
defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
etcd:
defaultconf: /etc/kubernetes/manifests/etcd.yaml
node:
kubelet:
defaultconf: /etc/kubernetes/kubelet.conf
defaultsvc: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
proxy:
defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml

1446
cfg/1.11/master.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

499
cfg/1.11/node.yaml Normal file
View File

@@ -0,0 +1,499 @@
---
controls:
version: 1.11
id: 2
text: "Worker Node Security Configuration"
type: "node"
groups:
- id: 2.1
text: "Kubelet"
checks:
- id: 2.1.1
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--allow-privileged"
compare:
op: eq
value: false
set: true
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--allow-privileged=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.2
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--anonymous-auth"
compare:
op: eq
value: false
set: true
remediation: |
If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
false .
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.3
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--authorization-mode"
compare:
op: nothave
value: "AlwaysAllow"
set: true
remediation: |
If using a Kubelet config file, edit the file to set authorization: mode to Webhook.
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--authorization-mode=Webhook
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.4
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--client-ca-file"
set: true
remediation: |
If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
the location of the client CA file.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--client-ca-file=<path/to/client-ca-file>
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.5
text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--read-only-port"
compare:
op: eq
value: 0
set: true
remediation: |
If using a Kubelet config file, edit the file to set readOnlyPort to 0 .
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.6
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--streaming-connection-idle-timeout"
compare:
op: noteq
value: 0
set: true
remediation: |
If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
value other than 0.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--streaming-connection-idle-timeout=5m
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.7
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--protect-kernel-defaults"
compare:
op: eq
value: true
set: true
remediation: |
If using a Kubelet config file, edit the file to set protectKernelDefaults: true .
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.8
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
audit: "ps -fC $kubeletbin"
tests:
bin_op: or
test_items:
- flag: "--make-iptables-util-chains"
compare:
op: eq
value: true
set: true
- flag: "--make-iptables-util-chains"
set: false
remediation: |
If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true .
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
remove the --make-iptables-util-chains argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.9
text: "Ensure that the --hostname-override argument is not set (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--hostname-override"
set: false
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and remove the --hostname-override argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.10
text: "Ensure that the --event-qps argument is set to 0 (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--event-qps"
compare:
op: eq
value: 0
set: true
remediation: |
If using a Kubelet config file, edit the file to set eventRecordQPS: 0 .
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--event-qps=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.11
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
audit: "ps -fC $kubeletbin"
tests:
bin_op: and
test_items:
- flag: "--tls-cert-file"
set: true
- flag: "--tls-private-key-file"
set: true
remediation: |
If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate
file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the
corresponding private key file.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
--tls-cert-file=<path/to/tls-certificate-file>
file=<path/to/tls-key-file>
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.12
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
audit: "ps -fC $kubeletbin"
tests:
bin_op: or
test_items:
- flag: "--cadvisor-port"
compare:
op: eq
value: 0
set: true
- flag: "--cadvisor-port"
set: false
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
--cadvisor-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.13
text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--rotate-certificates"
compare:
op: eq
value: true
set: true
remediation: |
If using a Kubelet config file, edit the file to add the line rotateCertificates: true.
If using command line arguments, edit the kubelet service file $kubeletsvc
on each worker node and add --rotate-certificates=true argument to the KUBELET_CERTIFICATE_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.14
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "RotateKubeletServerCertificate"
compare:
op: eq
value: true
set: true
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
--feature-gates=RotateKubeletServerCertificate=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.15
text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--tls-cipher-suites"
compare:
op: eq
value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
set: true
remediation: |
If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
If using executable arguments, edit the kubelet service file $kubeletconf on each worker node and set the below parameter.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
scored: false
- id: 2.2
text: "Configuration Files"
checks:
- id: 2.2.1
text: "Ensure that the kubelet.conf file permissions are set to 644 or
more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chmod 644 $kubeletkubeconfig
scored: true
- id: 2.2.2
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'"
tests:
test_items:
- flag: "root:root"
compare:
op: eq
value: root:root
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chown root:root $kubeletkubeconfig
scored: true
- id: 2.2.3
text: "Ensure that the kubelet service file permissions are set to 644 or
more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: 644
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chmod 755 $kubeletsvc
scored: true
- id: 2.2.4
text: "Ensure that the kubelet service file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'"
tests:
test_items:
- flag: "root:root"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chown root:root $kubeletsvc
scored: true
- id: 2.2.5
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chmod 644 $proxykubeconfig
scored: true
- id: 2.2.6
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'"
tests:
test_items:
- flag: "root:root"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chown root:root $proxykubeconfig
scored: true
- id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to
644 or more restrictive (Scored)"
type: manual
remediation: |
Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename>
scored: true
- id: 2.2.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
type: manual
remediation: |
Run the following command to modify the ownership of the --client-ca-file .
chown root:root <filename>
scored: true
- id: 2.2.9
text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
tests:
test_items:
- flag: "root:root"
set: true
remediation: |
Run the following command (using the config file location identied in the Audit step)
chown root:root $kubeletconf
scored: true
- id: 2.2.10
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the following command (using the config file location identied in the Audit step)
chmod 644 $kubeletconf
scored: true

29
cfg/1.13/config.yaml Normal file
View File

@@ -0,0 +1,29 @@
---
## Controls Files.
# These are YAML files that hold all the details for running checks.
#
## Uncomment to use different control file paths.
# masterControls: ./cfg/master.yaml
# nodeControls: ./cfg/node.yaml
# federatedControls: ./cfg/federated.yaml
master:
apiserver:
defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml
scheduler:
defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
controllermanager:
defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
etcd:
defaultconf: /etc/kubernetes/manifests/etcd.yaml
node:
kubelet:
defaultconf: /etc/kubernetes/kubelet.conf
defaultsvc: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
proxy:
defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml

1503
cfg/1.13/master.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

480
cfg/1.13/node.yaml Normal file
View File

@@ -0,0 +1,480 @@
---
controls:
version: 1.13
id: 2
text: "Worker Node Security Configuration"
type: "node"
groups:
- id: 2.1
text: "Kubelet"
checks:
- id: 2.1.1
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--anonymous-auth"
compare:
op: eq
value: false
set: true
remediation: |
If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
false .
If using executable arguments, edit the kubelet service file
$kubeletconf on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.2
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--authorization-mode"
compare:
op: nothave
value: "AlwaysAllow"
set: true
remediation: |
If using a Kubelet config file, edit the file to set authorization: mode to Webhook.
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--authorization-mode=Webhook
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.3
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--client-ca-file"
set: true
remediation: |
If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
the location of the client CA file.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--client-ca-file=<path/to/client-ca-file>
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.4
text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--read-only-port"
compare:
op: eq
value: 0
set: true
remediation: |
If using a Kubelet config file, edit the file to set readOnlyPort to 0 .
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.5
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--streaming-connection-idle-timeout"
compare:
op: noteq
value: 0
set: true
remediation: |
If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
value other than 0.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--streaming-connection-idle-timeout=5m
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.6
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--protect-kernel-defaults"
compare:
op: eq
value: true
set: true
remediation: |
If using a Kubelet config file, edit the file to set protectKernelDefaults: true .
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.7
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
audit: "ps -fC $kubeletbin"
tests:
bin_op: or
test_items:
- flag: "--make-iptables-util-chains"
compare:
op: eq
value: true
set: true
- flag: "--make-iptables-util-chains"
set: false
remediation: |
If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true .
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
remove the --make-iptables-util-chains argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.8
text: "Ensure that the --hostname-override argument is not set (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--hostname-override"
set: false
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and remove the --hostname-override argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.9
text: "Ensure that the --event-qps argument is set to 0 (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--event-qps"
compare:
op: eq
value: 0
set: true
remediation: |
If using a Kubelet config file, edit the file to set eventRecordQPS: 0 .
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--event-qps=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.10
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
audit: "ps -fC $kubeletbin"
tests:
bin_op: and
test_items:
- flag: "--tls-cert-file"
set: true
- flag: "--tls-private-key-file"
set: true
remediation: |
If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate
file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the
corresponding private key file.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
--tls-cert-file=<path/to/tls-certificate-file>
file=<path/to/tls-key-file>
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.11
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
audit: "ps -fC $kubeletbin"
tests:
bin_op: or
test_items:
- flag: "--cadvisor-port"
compare:
op: eq
value: 0
set: true
- flag: "--cadvisor-port"
set: false
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
--cadvisor-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.12
text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--rotate-certificates"
compare:
op: eq
value: true
set: true
remediation: |
If using a Kubelet config file, edit the file to add the line rotateCertificates: true.
If using command line arguments, edit the kubelet service file $kubeletsvc
on each worker node and add --rotate-certificates=true argument to the KUBELET_CERTIFICATE_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.13
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "RotateKubeletServerCertificate"
compare:
op: eq
value: true
set: true
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
--feature-gates=RotateKubeletServerCertificate=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.14
text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--tls-cipher-suites"
compare:
op: eq
value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
set: true
remediation: |
If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
If using executable arguments, edit the kubelet service file $kubeletconf on each worker node and set the below parameter.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
scored: false
- id: 2.2
text: "Configuration Files"
checks:
- id: 2.2.1
text: "Ensure that the kubelet.conf file permissions are set to 644 or
more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chmod 644 $kubeletkubeconfig
scored: true
- id: 2.2.2
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'"
tests:
test_items:
- flag: "root:root"
compare:
op: eq
value: root:root
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chown root:root $kubeletkubeconfig
scored: true
- id: 2.2.3
text: "Ensure that the kubelet service file permissions are set to 644 or
more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: 644
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chmod 755 $kubeletsvc
scored: true
- id: 2.2.4
text: "Ensure that the kubelet service file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'"
tests:
test_items:
- flag: "root:root"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chown root:root $kubeletsvc
scored: true
- id: 2.2.5
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chmod 644 $proxykubeconfig
scored: true
- id: 2.2.6
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'"
tests:
test_items:
- flag: "root:root"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chown root:root $proxykubeconfig
scored: true
- id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to
644 or more restrictive (Scored)"
type: manual
remediation: |
Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename>
scored: true
- id: 2.2.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
type: manual
remediation: |
Run the following command to modify the ownership of the --client-ca-file .
chown root:root <filename>
scored: true
- id: 2.2.9
text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
tests:
test_items:
- flag: "root:root"
set: true
remediation: |
Run the following command (using the config file location identied in the Audit step)
chown root:root $kubeletconf
scored: true
- id: 2.2.10
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the following command (using the config file location identied in the Audit step)
chmod 644 $kubeletconf
scored: true

4
cfg/1.6/master.yaml
View File

@@ -731,7 +731,7 @@ groups:
- id: 1.4.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %a"
audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %a
tests:
test_items:
- flag: "700"
@@ -748,7 +748,7 @@ groups:
- id: 1.4.12
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %U:%G"
audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %U:%G
tests:
test_items:
- flag: "etcd:etcd"

4
cfg/1.7/master.yaml
View File

@@ -793,7 +793,7 @@ groups:
- id: 1.4.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %a"
audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %a
tests:
test_items:
- flag: "700"
@@ -810,7 +810,7 @@ groups:
- id: 1.4.12
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %U:%G"
audit: ps -ef | grep $etcdbin | grep -v grep | ed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %U:%G
tests:
test_items:
- flag: "etcd:etcd"

42
cfg/1.8/config.yaml Normal file
View File

@@ -0,0 +1,42 @@
---
## Controls Files.
# These are YAML files that hold all the details for running checks.
#
## Uncomment to use different control file paths.
# masterControls: ./cfg/master.yaml
# nodeControls: ./cfg/node.yaml
# federatedControls: ./cfg/federated.yaml
master:
apiserver:
confs:
- /etc/kubernetes/manifests/kube-apiserver.yaml
- /etc/kubernetes/manifests/kube-apiserver.manifest
defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml
scheduler:
confs:
- /etc/kubernetes/manifests/kube-scheduler.yaml
- /etc/kubernetes/manifests/kube-scheduler.manifest
defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
controllermanager:
confs:
- /etc/kubernetes/manifests/kube-controller-manager.yaml
- /etc/kubernetes/manifests/kube-controller-manager.manifest
defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
etcd:
confs:
- /etc/kubernetes/manifests/etcd.yaml
- /etc/kubernetes/manifests/etcd.manifest
defaultconf: /etc/kubernetes/manifests/etcd.yaml
node:
kubelet:
defaultconf: /var/lib/kubelet/config.yaml
defaultsvc: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
defaultkubeconfig: /etc/kubernetes/kubelet.conf
proxy:
defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml

84
cfg/1.8/federated.yaml
View File

@@ -19,9 +19,8 @@ groups:
value: false
set: true
remediation: |
Edit the deployment specs and set --anonymous-auth=false .
kubectl edit deployments federation-apiserver-deployment --
namespace=federation-system
Edit the deployment specs and set --anonymous-auth=false.
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
scored: true
- id: 3.1.2
@@ -33,9 +32,8 @@ groups:
set: false
remediation: |
Follow the documentation and configure alternate mechanisms for authentication. Then,
edit the deployment specs and remove "--basic-auth-file=<filename>" .
kubectl edit deployments federation-apiserver-deployment --
namespace=federation-system
edit the deployment specs and remove "--basic-auth-file=<filename>".
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
scored: true
- id: 3.1.3
@@ -46,9 +44,8 @@ groups:
- flag: "--insecure-allow-any-token"
set: false
remediation: |
Edit the deployment specs and remove --insecure-allow-any-token .
kubectl edit deployments federation-apiserver-deployment --
namespace=federation-system
Edit the deployment specs and remove --insecure-allow-any-token.
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
scored: true
- id: 3.1.4
@@ -59,9 +56,8 @@ groups:
- flag: "--insecure-bind-address"
set: false
remediation: |
Edit the deployment specs and remove --insecure-bind-address .
kubectl edit deployments federation-apiserver-deployment --
namespace=federation-system
Edit the deployment specs and remove --insecure-bind-address.
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
scored: true
- id: 3.1.5
@@ -75,9 +71,8 @@ groups:
value: 0
set: true
remediation: |
Edit the deployment specs and set --insecure-port=0 .
kubectl edit deployments federation-apiserver-deployment --
namespace=federation-system
Edit the deployment specs and set --insecure-port=0.
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
scored: true
- id: 3.1.6
@@ -95,8 +90,7 @@ groups:
set: false
remediation: |
Edit the deployment specs and set the --secure-port argument to the desired port.
kubectl edit deployments federation-apiserver-deployment --
namespace=federation-system
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
scored: true
- id: 3.1.7
@@ -110,9 +104,8 @@ groups:
value: false
set: true
remediation: |
Edit the deployment specs and set "--profiling=false" :
kubectl edit deployments federation-apiserver-deployment --
namespace=federation-system
Edit the deployment specs and set "--profiling=false":
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
score: true
- id: 3.1.8
@@ -128,8 +121,7 @@ groups:
remediation: |
Edit the deployment specs and set --admission-control argument to a value that does not
include AlwaysAdmit .
kubectl edit deployments federation-apiserver-deployment --
namespace=federation-system
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
scored: true
- id: 3.1.9
@@ -144,9 +136,8 @@ groups:
set: true
remediation: |
Edit the deployment specs and set --admission-control argument to a value that includes
NamespaceLifecycle .
kubectl edit deployments federation-apiserver-deployment --
namespace=federation-system
NamespaceLifecycle.
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
scored: true
- id: 3.1.10
@@ -172,8 +163,7 @@ groups:
set: true
remediation: |
Edit the deployment specs and set --audit-log-maxage to 30 or as appropriate.
kubectl edit deployments federation-apiserver-deployment --
namespace=federation-system
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
scored: true
- id: 3.1.12
@@ -188,8 +178,7 @@ groups:
set: true
remediation: |
Edit the deployment specs and set --audit-log-maxbackup to 10 or as appropriate.
kubectl edit deployments federation-apiserver-deployment --
namespace=federation-system
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
scored: true
- id: 3.1.13
@@ -204,8 +193,7 @@ groups:
set: true
remediation: |
Edit the deployment specs and set --audit-log-maxsize=100 to 100 or as appropriate.
kubectl edit deployments federation-apiserver-deployment --
namespace=federation-system
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
scored: true
- id: 3.1.14
@@ -221,8 +209,7 @@ groups:
remediation: |
Edit the deployment specs and set --authorization-mode argument to a value other than
AlwaysAllow
kubectl edit deployments federation-apiserver-deployment --
namespace=federation-system
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
scored: true
- id: 3.1.15
@@ -235,8 +222,7 @@ groups:
remediation: |
Follow the documentation and configure alternate mechanisms for authentication. Then,
edit the deployment specs and remove the --token-auth-file=<filename> argument.
kubectl edit deployments federation-apiserver-deployment --
namespace=federation-system
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
scored: true
- id: 3.1.16
@@ -251,8 +237,7 @@ groups:
set: true
remediation: |
Edit the deployment specs and set "--service-account-lookup=true" .
kubectl edit deployments federation-apiserver-deployment --
namespace=federation-system
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
scored: true
- id: 3.1.17
@@ -264,8 +249,7 @@ groups:
set: true
remediation: |
Edit the deployment specs and set --service-account-key-file argument as appropriate.
kubectl edit deployments federation-apiserver-deployment --
namespace=federation-system
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
scored: true
- id: 3.1.18
@@ -281,11 +265,10 @@ groups:
set: true
remediation: |
Follow the Kubernetes documentation and set up the TLS connection between the
federation apiserver and etcd. Then, edit the deployment specs and set "--etcd-
certfile=<path/to/client-certificate-file>" and "--etcd-
keyfile=<path/to/client-key-file>" arguments.
kubectl edit deployments federation-apiserver-deployment --
namespace=federation-system
federation apiserver and etcd. Then, edit the deployment specs and set
"--etcd-certfile=<path/to/client-certificate-file>" and
"--etcd-keyfile=<path/to/client-key-file>" arguments.
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
scored: true
- id: 3.1.19
@@ -301,10 +284,10 @@ groups:
set: true
remediation: |
Follow the Kubernetes documentation and set up the TLS connection on the federation
apiserver. Then, edit the deployment specs and set "--tls-cert-file=<path/to/tls-
certificate-file>" and "--tls-private-key-file=<path/to/tls-key-file>" :
kubectl edit deployments federation-apiserver-deployment --
namespace=federation-system
apiserver. Then, edit the deployment specs and set
"--tls-cert-file=<path/to/tls-certificate-file>" and
"--tls-private-key-file=<path/to/tls-key-file>":
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
scored: true
- id: 3.2
@@ -321,7 +304,6 @@ groups:
value: false
set: true
remediation: |
Edit the deployment specs and set "--profiling=false" :
kubectl edit deployments federation-controller-manager-deployment --
namespace=federation-system
Edit the deployment specs and set "--profiling=false":
kubectl edit deployments federation-controller-manager-deployment --namespace=federation-system
scored: true

242
cfg/1.8/master.yaml
View File

@@ -19,7 +19,7 @@ groups:
value: false
set: true
remediation: |
Edit the API server pod specification file $apiserverpodspec
Edit the API server pod specification file $apiserverconf
on the master node and set the below parameter.
--anonymous-auth=false
@@ -34,7 +34,7 @@ groups:
set: false
remediation: |
Follow the documentation and configure alternate mechanisms for authentication. Then,
edit the API server pod specification file $apiserverpodspec
edit the API server pod specification file $apiserverconf
on the master node and remove the --basic-auth-file=<filename>
parameter.
scored: true
@@ -47,7 +47,7 @@ groups:
- flag: "--insecure-allow-any-token"
set: false
remediation: |
Edit the API server pod specification file $apiserverpodspec
Edit the API server pod specification file $apiserverconf
on the master node and remove the --insecure-allow-any-token
parameter.
scored: true
@@ -66,7 +66,7 @@ groups:
- flag: "--kubelet-https"
set: false
remediation: |
Edit the API server pod specification file $apiserverpodspec
Edit the API server pod specification file $apiserverconf
on the master node and remove the --kubelet-https parameter.
scored: true
@@ -78,7 +78,7 @@ groups:
- flag: "--insecure-bind-address"
set: false
remediation: |
Edit the API server pod specification file $apiserverpodspec
Edit the API server pod specification file $apiserverconf
on the master node and remove the --insecure-bind-address
parameter.
scored: true
@@ -94,7 +94,7 @@ groups:
value: 0
set: true
remediation: |
Edit the API server pod specification file $apiserverpodspec
Edit the API server pod specification file $apiserverconf
apiserver.yaml on the master node and set the below parameter.
--insecure-port=0
scored: true
@@ -113,7 +113,7 @@ groups:
- flag: "--secure-port"
set: false
remediation: |
Edit the API server pod specification file $apiserverpodspec
Edit the API server pod specification file $apiserverconf
on the master node and either remove the --secure-port parameter or
set it to a different (non-zero) desired port.
scored: true
@@ -129,7 +129,7 @@ groups:
value: false
set: true
remediation: |
Edit the API server pod specification file $apiserverpodspec
Edit the API server pod specification file $apiserverconf
on the master node and set the below parameter.
--profiling=false
scored: true
@@ -145,7 +145,7 @@ groups:
value: false
set: true
remediation: |
Edit the API server pod specification file $apiserverpodspec
Edit the API server pod specification file $apiserverconf
on the master node and set the below parameter.
--repair-malformed-updates=false
scored: true
@@ -161,9 +161,9 @@ groups:
value: AlwaysAdmit
set: true
remediation: |
Edit the API server pod specification file $apiserverpodspec
Edit the API server pod specification file $apiserverconf
on the master node and set the --admission-control parameter to a
value that does not include AlwaysAdmit .
value that does not include AlwaysAdmit.
scored: true
- id: 1.1.11
@@ -177,9 +177,9 @@ groups:
value: "AlwaysPullImages"
set: true
remediation: |
Edit the API server pod specification file $apiserverpodspec
Edit the API server pod specification file $apiserverconf
on the master node and set the --admission-control parameter to
include AlwaysPullImages .
include AlwaysPullImages.
--admission-control=...,AlwaysPullImages,...
scored: true
@@ -194,9 +194,9 @@ groups:
value: "DenyEscalatingExec"
set: true
remediation: |
Edit the API server pod specification file $apiserverpodspec
Edit the API server pod specification file $apiserverconf
on the master node and set the --admission-control parameter to a
value that includes DenyEscalatingExec .
value that includes DenyEscalatingExec.
--admission-control=...,DenyEscalatingExec,...
scored: true
@@ -211,9 +211,9 @@ groups:
value: "SecurityContextDeny"
set: true
remediation: |
Edit the API server pod specification file $apiserverpodspec
Edit the API server pod specification file $apiserverconf
on the master node and set the --admission-control parameter to
include SecurityContextDeny .
include SecurityContextDeny.
--admission-control=...,SecurityContextDeny,...
scored: true
@@ -228,9 +228,9 @@ groups:
value: "NamespaceLifecycle"
set: true
remediation: |
Edit the API server pod specification file $apiserverpodspec
Edit the API server pod specification file $apiserverconf
on the master node and set the --admission-control parameter to
include NamespaceLifecycle .
include NamespaceLifecycle.
--admission-control=...,NamespaceLifecycle,...
scored: true
@@ -242,7 +242,7 @@ groups:
- flag: "--audit-log-path"
set: true
remediation: |
Edit the API server pod specification file $apiserverpodspec
Edit the API server pod specification file $apiserverconf
on the master node and set the --audit-log-path parameter to a suitable
path and file where you would like audit logs to be written, for example:
--audit-log-path=/var/log/apiserver/audit.log
@@ -259,7 +259,7 @@ groups:
value: 30
set: true
remediation: |
Edit the API server pod specification file $apiserverpodspec
Edit the API server pod specification file $apiserverconf
on the master node and set the --audit-log-maxage parameter to 30 or
as an appropriate number of days:
--audit-log-maxage=30
@@ -276,7 +276,7 @@ groups:
value: 10
set: true
remediation: |
Edit the API server pod specification file $apiserverpodspec
Edit the API server pod specification file $apiserverconf
on the master node and set the --audit-log-maxbackup parameter to 10
or to an appropriate value.
--audit-log-maxbackup=10
@@ -293,7 +293,7 @@ groups:
value: 100
set: true
remediation: |
Edit the API server pod specification file $apiserverpodspec
Edit the API server pod specification file $apiserverconf
on the master node and set the --audit-log-maxsize parameter to an
appropriate size in MB. For example, to set it as 100 MB:
--audit-log-maxsize=100
@@ -310,9 +310,9 @@ groups:
value: "AlwaysAllow"
set: true
remediation: |
Edit the API server pod specification file $apiserverpodspec
Edit the API server pod specification file $apiserverconf
on the master node and set the --authorization-mode parameter to
values other than AlwaysAllow . One such example could be as below.
values other than AlwaysAllow. One such example could be as below.
--authorization-mode=RBAC
scored: true
@@ -325,7 +325,7 @@ groups:
set: false
remediation: |
Follow the documentation and configure alternate mechanisms for authentication. Then,
edit the API server pod specification file $apiserverpodspec
edit the API server pod specification file $apiserverconf
on the master node and remove the --token-auth-file=<filename>
parameter.
scored: true
@@ -340,7 +340,7 @@ groups:
remediation: |
Follow the Kubernetes documentation and setup the TLS connection between the apiserver
and kubelets. Then, edit the API server pod specification file
$apiserverpodspec on the master node and set the --
$apiserverconf on the master node and set the --
kubelet-certificate-authority parameter to the path to the cert file for the certificate
authority.
--kubelet-certificate-authority=<ca-string>
@@ -360,7 +360,7 @@ groups:
remediation: |
Follow the Kubernetes documentation and set up the TLS connection between the
apiserver and kubelets. Then, edit API server pod specification file
$apiserverpodspec on the master node and set the
$apiserverconf on the master node and set the
kubelet client certificate and key parameters as below.
--kubelet-client-certificate=<path/to/client-certificate-file>
--kubelet-client-key=<path/to/client-key-file>
@@ -377,7 +377,7 @@ groups:
value: true
set: true
remediation: |
Edit the API server pod specification file $apiserverpodspec
Edit the API server pod specification file $apiserverconf
on the master node and set the below parameter.
--service-account-lookup=true
scored: true
@@ -394,7 +394,7 @@ groups:
set: true
remediation: |
Follow the documentation and create Pod Security Policy objects as per your environment.
Then, edit the API server pod specification file $apiserverpodspec
Then, edit the API server pod specification file $apiserverconf
on the master node and set the --admission-control parameter to a
value that includes PodSecurityPolicy :
--admission-control=...,PodSecurityPolicy,...
@@ -410,7 +410,7 @@ groups:
- flag: "--service-account-key-file"
set: true
remediation: |
Edit the API server pod specification file $apiserverpodspec
Edit the API server pod specification file $apiserverconf
on the master node and set the --service-account-key-file parameter
to the public key file for service accounts:
--service-account-key-file=<filename>
@@ -418,7 +418,7 @@ groups:
- id: 1.1.26
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as
appropriate (Scored"
appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: and
@@ -430,7 +430,7 @@ groups:
remediation: |
Follow the Kubernetes documentation and set up the TLS connection between the
apiserver and etcd. Then, edit the API server pod specification file
$apiserverpodspec on the master node and set the etcd
$apiserverconf on the master node and set the etcd
certificate and key file parameters.
--etcd-certfile=<path/to/client-certificate-file>
--etcd-keyfile=<path/to/client-key-file>
@@ -448,9 +448,9 @@ groups:
set: true
remediation: |
Follow the documentation and create ServiceAccount objects as per your environment.
Then, edit the API server pod specification file $apiserverpodspec
Then, edit the API server pod specification file $apiserverconf
on the master node and set the --admission-control parameter to a
value that includes ServiceAccount .
value that includes ServiceAccount.
--admission-control=...,ServiceAccount,...
scored: true
@@ -467,7 +467,7 @@ groups:
set: true
remediation: |
Follow the Kubernetes documentation and set up the TLS connection on the apiserver.
Then, edit the API server pod specification file $apiserverpodspec
Then, edit the API server pod specification file $apiserverconf
on the master node and set the TLS certificate and private key file
parameters.
--tls-cert-file=<path/to/tls-certificate-file>
@@ -483,7 +483,7 @@ groups:
set: true
remediation: |
Follow the Kubernetes documentation and set up the TLS connection on the apiserver.
Then, edit the API server pod specification file $apiserverpodspec
Then, edit the API server pod specification file $apiserverconf
on the master node and set the client certificate authority file.
--client-ca-file=<path/to/client-ca-file>
scored: true
@@ -498,7 +498,7 @@ groups:
remediation: |
Follow the Kubernetes documentation and set up the TLS connection between the
apiserver and etcd. Then, edit the API server pod specification file
$apiserverpodspec on the master node and set the etcd
$apiserverconf on the master node and set the etcd
certificate authority file parameter.
--etcd-cafile=<path/to/ca-file>
scored: true
@@ -514,9 +514,9 @@ groups:
value: "Node"
set: true
remediation: |
Edit the API server pod specification file $apiserverpodspec
Edit the API server pod specification file $apiserverconf
on the master node and set the --authorization-mode parameter to a
value that includes Node .
value that includes Node.
--authorization-mode=Node,RBAC
scored: true
@@ -532,14 +532,14 @@ groups:
set: true
remediation: |
Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets.
Then, edit the API server pod specification file $apiserverpodspec
Then, edit the API server pod specification file $apiserverconf
on the master node and set the --admission-control parameter to a
value that includes NodeRestriction.
--admission-control=...,NodeRestriction,...
scored: true
- id: 1.1.33
text: "1.1.34 Ensure that the --experimental-encryption-provider-config argument is
text: "Ensure that the --experimental-encryption-provider-config argument is
set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
@@ -548,7 +548,7 @@ groups:
set: true
remediation: |
Follow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit
the API server pod specification file $apiserverpodspec
the API server pod specification file $apiserverconf
on the master node and set the --experimental-encryption-provider-config parameter
to the path of that file:
--experimental-encryption-provider-config=</path/to/EncryptionConfig/File>
@@ -586,7 +586,7 @@ groups:
set: true
remediation: |
Follow the Kubernetes documentation and set the desired limits in a configuration file.
Then, edit the API server pod specification file $apiserverpodspec
Then, edit the API server pod specification file $apiserverconf
and set the below parameters.
--admission-control=EventRateLimit
--admission-control-config-file=<path/to/configuration/file>
@@ -598,8 +598,7 @@ groups:
type: "manual"
remediation: |
Follow the Kubernetes documentation and set the desired audit policy in the
/etc/kubernetes/audit-policy.yaml file.
Then, edit the API server pod specification file $apiserverpodspec
/etc/kubernetes/audit-policy.yaml file. Then, edit the API server pod specification file $apiserverconf
and set the below parameters.
--audit-policy-file=/etc/kubernetes/audit-policy.yaml
scored: true
@@ -609,9 +608,9 @@ groups:
audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: "manual"
remediation: |
Edit the API server pod specification file $apiserverpodspec
Edit the API server pod specification file $apiserverconf
and set the below parameter as appropriate and if needed. For example,
--request-timeout=300
--request-timeout=300s
scored: true
- id: 1.2
@@ -629,7 +628,7 @@ groups:
set: true
remediation: |
Remediation:
Edit the Scheduler pod specification file $apiserverpodspec
Edit the Scheduler pod specification file $schedulerconf
file on the master node and set the below parameter.
--profiling=false
scored: true
@@ -645,9 +644,8 @@ groups:
- flag: "--terminated-pod-gc-threshold"
set: true
remediation: |
Edit the Controller Manager pod specification file $apiserverpodspec
on the master node and set the --terminated-pod-gc-
threshold to an appropriate threshold, for example:
Edit the Controller Manager pod specification file $controllermanagerconf
on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold, for example:
--terminated-pod-gc-threshold=10
scored: true
@@ -662,13 +660,13 @@ groups:
value: false
set: true
remediation: |
Edit the Controller Manager pod specification file $apiserverpodspec
Edit the Controller Manager pod specification file $apiserverconf
on the master node and set the below parameter.
--profiling=false
scored: true
- id: 1.3.3
text: "Ensure that the --use-service-account-credentials argument is set"
text: "Ensure that the --use-service-account-credentials argument is set (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
@@ -678,7 +676,7 @@ groups:
value: true
set: true
remediation: |
Edit the Controller Manager pod specification file $apiserverpodspec
Edit the Controller Manager pod specification file $apiserverconf
on the master node to set the below parameter.
--use-service-account-credentials=true
scored: true
@@ -691,7 +689,7 @@ groups:
- flag: "--service-account-private-key-file"
set: true
remediation: |
Edit the Controller Manager pod specification file $apiserverpodspec
Edit the Controller Manager pod specification file $apiserverconf
on the master node and set the --service-account-private-
key-file parameter to the private key file for service accounts.
--service-account-private-key-file=<filename>
@@ -705,9 +703,9 @@ groups:
- flag: "--root-ca-file"
set: true
remediation: |
Edit the Controller Manager pod specification file $apiserverpodspec
Edit the Controller Manager pod specification file $apiserverconf
on the master node and set the --root-ca-file parameter to
the certificate bundle file`.
the certificate bundle file.
--root-ca-file=<path/to/file>
scored: true
@@ -731,7 +729,7 @@ groups:
value: true
set: true
remediation: |
Edit the Controller Manager pod specification file $apiserverpodspec
Edit the Controller Manager pod specification file $apiserverconf
controller-manager.yaml on the master node and set the --feature-gates parameter to
include RotateKubeletServerCertificate=true.
--feature-gates=RotateKubeletServerCertificate=true
@@ -743,7 +741,7 @@ groups:
- id: 1.4.1
text: "Ensure that the API server pod specification file permissions are
set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $apiserverpodspec; then stat -c %a $apiserverpodspec; fi'"
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
tests:
bin_op: or
test_items:
@@ -765,13 +763,13 @@ groups:
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chmod 644 $apiserverpodspec
chmod 644 $apiserverconf
scored: true
- id: 1.4.2
text: "Ensure that the API server pod specification file ownership is set to
root:root (Scored)"
audit: "/bin/sh -c 'if test -e $apiserverpodspec; then stat -c %U:%G $apiserverpodspec; fi'"
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'"
tests:
test_items:
- flag: "root:root"
@@ -782,13 +780,13 @@ groups:
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chown root:root $apiserverpodspec
chown root:root $apiserverconf
scored: true
- id: 1.4.3
text: "Ensure that the controller manager pod specification file
permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $controllermanagerpodspec; then stat -c %a $controllermanagerpodspec; fi'"
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'"
tests:
bin_op: or
test_items:
@@ -810,13 +808,13 @@ groups:
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chmod 644 $controllermanagerpodspec
chmod 644 $controllermanagerconf
scored: true
- id: 1.4.4
text: "Ensure that the controller manager pod specification file
ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $controllermanagerpodspec; then stat -c %U:%G $controllermanagerpodspec; fi'"
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi'"
tests:
test_items:
- flag: "root:root"
@@ -827,13 +825,13 @@ groups:
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chown root:root $controllermanagerpodspec
chown root:root $controllermanagerconf
scored: true
- id: 1.4.5
text: "Ensure that the scheduler pod specification file permissions are set
to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $schedulerpodspec; then stat -c %a $schedulerpodspec; fi'"
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
tests:
bin_op: or
test_items:
@@ -855,13 +853,13 @@ groups:
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chmod 644 $schedulerpodspec
chmod 644 $schedulerconf
scored: true
- id: 1.4.6
text: "Ensure that the scheduler pod specification file ownership is set to
root:root (Scored)"
audit: "/bin/sh -c 'if test -e $schedulerpodspec; then stat -c %U:%G $schedulerpodspec; fi'"
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'"
tests:
test_items:
- flag: "root:root"
@@ -872,13 +870,13 @@ groups:
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chown root:root $schedulerpodspec
chown root:root $schedulerconf
scored: true
- id: 1.4.7
text: "Ensure that the etcd pod specification file permissions are set to
644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $etcdpodspec; then stat -c %a $etcdpodspec; fi'"
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
tests:
bin_op: or
test_items:
@@ -900,13 +898,13 @@ groups:
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chmod 644 $etcdpodspec
chmod 644 $etcdconf
scored: true
- id: 1.4.8
text: "Ensure that the etcd pod specification file ownership is set to
root:root (Scored)"
audit: "/bin/sh -c 'if test -e $etcdpodspec; then stat -c %U:%G $etcdpodspec; fi'"
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'"
tests:
test_items:
- flag: "root:root"
@@ -917,7 +915,7 @@ groups:
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chown root:root $etcdpodspec
chown root:root $etcdconf
scored: true
- id: 1.4.9
@@ -944,7 +942,7 @@ groups:
- id: 1.4.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %a"
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %a
tests:
test_items:
- flag: "700"
@@ -962,7 +960,7 @@ groups:
- id: 1.4.12
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %U:%G"
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %U:%G
tests:
test_items:
- flag: "etcd:etcd"
@@ -980,12 +978,23 @@ groups:
more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %a /etc/kubernetes/admin.conf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@@ -1011,14 +1020,25 @@ groups:
- id: 1.4.15
text: "Ensure that the scheduler.conf file permissions are set to 644 or
more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $schedulerconf then stat -c %a $schedulerconf; fi'"
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@@ -1044,14 +1064,25 @@ groups:
- id: 1.4.17
text: "Ensure that the controller-manager.conf file permissions are set
to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $controllermanagerconf then stat -c %a $controllermanagerconf; fi'"
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@@ -1088,7 +1119,7 @@ groups:
set: true
remediation: |
Follow the etcd service documentation and configure TLS encryption.
Then, edit the etcd pod specification file $etcdpodspec on the
Then, edit the etcd pod specification file $etcdconf on the
master node and set the below parameters.
--ca-file=</path/to/ca-file>
--key-file=</path/to/key-file>
@@ -1105,7 +1136,7 @@ groups:
value: true
set: true
remediation: |
Edit the etcd pod specification file $etcdpodspec on the master
Edit the etcd pod specification file $etcdconf on the master
node and set the below parameter.
--client-cert-auth="true"
scored: true
@@ -1123,8 +1154,8 @@ groups:
op: neq
value: true
remediation: |
Edit the etcd pod specification file $etcdpodspec on the master
node and either remove the --auto-tls parameter or set it to false .
Edit the etcd pod specification file $etcdconf on the master
node and either remove the --auto-tls parameter or set it to false.
--auto-tls=false
scored: true
@@ -1140,8 +1171,7 @@ groups:
set: true
remediation: |
Follow the etcd service documentation and configure peer TLS encryption as appropriate
for your etcd cluster.
Then, edit the etcd pod specification file $etcdpodspec on the
for your etcd cluster. Then, edit the etcd pod specification file $etcdconf on the
master node and set the below parameters.
--peer-client-file=</path/to/peer-cert-file>
--peer-key-file=</path/to/peer-key-file>
@@ -1158,7 +1188,7 @@ groups:
value: true
set: true
remediation: |
Edit the etcd pod specification file $etcdpodspec on the master
Edit the etcd pod specification file $etcdconf on the master
node and set the below parameter.
--peer-client-cert-auth=true
scored: true
@@ -1177,8 +1207,8 @@ groups:
value: false
set: true
remediation: |
Edit the etcd pod specification file $etcdpodspec on the master
node and either remove the --peer-auto-tls parameter or set it to false .
Edit the etcd pod specification file $etcdconf on the master
node and either remove the --peer-auto-tls parameter or set it to false.
--peer-auto-tls=false
scored: true
@@ -1190,7 +1220,7 @@ groups:
- flag: "--wal-dir"
set: true
remediation: |
Edit the etcd pod specification file $etcdpodspec on the master
Edit the etcd pod specification file $etcdconf on the master
node and set the below parameter.
--wal-dir=</path/to/log/dir>
scored: true
@@ -1206,7 +1236,7 @@ groups:
value: 0
set: true
remediation: |
Edit the etcd pod specification file $etcdpodspec on the master
Edit the etcd pod specification file $etcdconf on the master
node and set the below parameter.
--max-wals=0
scored: true
@@ -1221,7 +1251,7 @@ groups:
remediation: |
Follow the etcd documentation and create a dedicated certificate authority setup for the
etcd service.
Then, edit the etcd pod specification file $etcdpodspec on the
Then, edit the etcd pod specification file $etcdconf on the
master node and set the below parameter.
--trusted-ca-file=</path/to/ca-file>
scored: false

87
cfg/1.8/node.yaml
View File

@@ -10,7 +10,7 @@ groups:
checks:
- id: 2.1.1
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--allow-privileged"
@@ -19,7 +19,7 @@ groups:
value: false
set: true
remediation: |
Edit the kubelet service file $kubeletunitfile
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--allow-privileged=false
Based on your system, restart the kubelet service. For example:
@@ -29,7 +29,7 @@ groups:
- id: 2.1.2
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--anonymous-auth"
@@ -38,7 +38,7 @@ groups:
value: false
set: true
remediation: |
Edit the kubelet service file $kubeletunitfile
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false
Based on your system, restart the kubelet service. For example:
@@ -48,7 +48,7 @@ groups:
- id: 2.1.3
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--authorization-mode"
@@ -57,7 +57,7 @@ groups:
value: "AlwaysAllow"
set: true
remediation: |
Edit the kubelet service file $kubeletunitfile
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable.
--authorization-mode=Webhook
Based on your system, restart the kubelet service. For example:
@@ -67,13 +67,13 @@ groups:
- id: 2.1.4
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--client-ca-file"
set: true
remediation: |
Edit the kubelet service file $kubeletunitfile
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable.
--client-ca-file=<path/to/client-ca-file>
Based on your system, restart the kubelet service. For example:
@@ -83,7 +83,7 @@ groups:
- id: 2.1.5
text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--read-only-port"
@@ -92,7 +92,7 @@ groups:
value: 0
set: true
remediation: |
Edit the kubelet service file $kubeletunitfile
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0
Based on your system, restart the kubelet service. For example:
@@ -102,7 +102,7 @@ groups:
- id: 2.1.6
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--streaming-connection-idle-timeout"
@@ -111,7 +111,7 @@ groups:
value: 0
set: true
remediation: |
Edit the kubelet service file $kubeletunitfile
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--streaming-connection-idle-timeout=5m
Based on your system, restart the kubelet service. For example:
@@ -121,7 +121,7 @@ groups:
- id: 2.1.7
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--protect-kernel-defaults"
@@ -130,7 +130,7 @@ groups:
value: true
set: true
remediation: |
Edit the kubelet service file $kubeletunitfile
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example:
@@ -140,7 +140,7 @@ groups:
- id: 2.1.8
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep"
audit: "ps -fC $kubeletbin"
tests:
bin_op: or
test_items:
@@ -150,7 +150,7 @@ groups:
value: true
set: true
remediation: |
Edit the kubelet service file $kubeletunitfile
Edit the kubelet service file $kubeletsvc
on each worker node and remove the --make-iptables-util-chains argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
@@ -160,7 +160,7 @@ groups:
- id: 2.1.9
text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--keep-terminated-pod-volumes"
@@ -169,7 +169,7 @@ groups:
value: false
set: true
remediation: |
Edit the kubelet service file $kubeletunitfile
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--keep-terminated-pod-volumes=false
Based on your system, restart the kubelet service. For example:
@@ -179,13 +179,13 @@ groups:
- id: 2.1.10
text: "Ensure that the --hostname-override argument is not set (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--hostname-override"
set: false
remediation: |
Edit the kubelet service file $kubeletunitfile
Edit the kubelet service file $kubeletsvc
on each worker node and remove the --hostname-override argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
@@ -195,7 +195,7 @@ groups:
- id: 2.1.11
text: "Ensure that the --event-qps argument is set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--event-qps"
@@ -204,7 +204,7 @@ groups:
value: 0
set: true
remediation: |
Edit the kubelet service file $kubeletunitfile
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--event-qps=0
Based on your system, restart the kubelet service. For example:
@@ -214,7 +214,7 @@ groups:
- id: 2.1.12
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--tls-cert-file"
@@ -223,8 +223,7 @@ groups:
set: true
remediation: |
Follow the Kubernetes documentation and set up the TLS connection on the Kubelet.
Then edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-
kubeadm.conf on each worker node and set the below parameters in
Then edit the kubelet service file $kubeletsvc on each worker node and set the below parameters in
KUBELET_CERTIFICATE_ARGS variable.
--tls-cert-file=<path/to/tls-certificate-file>
file=<path/to/tls-key-file>
@@ -236,7 +235,7 @@ groups:
- id: 2.1.13
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--cadvisor-port"
@@ -245,7 +244,7 @@ groups:
value: 0
set: true
remediation: |
Edit the kubelet service file $kubeletunitfile
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
--cadvisor-port=0
Based on your system, restart the kubelet service. For example:
@@ -255,7 +254,7 @@ groups:
- id: 2.1.14
text: "Ensure that the RotateKubeletClientCertificate argument is set to true"
audit: "ps -ef | grep $kubeletbin | grep -v grep"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "RotateKubeletClientCertificate"
@@ -264,7 +263,7 @@ groups:
value: true
set: true
remediation: |
Edit the kubelet service file $kubeletunitfile
Edit the kubelet service file $kubeletsvc
on each worker node and remove the --feature-
gates=RotateKubeletClientCertificate=false argument from the
KUBELET_CERTIFICATE_ARGS variable.
@@ -275,7 +274,7 @@ groups:
- id: 2.1.15
text: "Ensure that the RotateKubeletServerCertificate argument is set to true"
audit: "ps -ef | grep $kubeletbin | grep -v grep"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "RotateKubeletServerCertificate"
@@ -284,7 +283,7 @@ groups:
value: true
set: true
remediation: |
Edit the kubelet service file $kubeletunitfile
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
--feature-gates=RotateKubeletServerCertificate=true
Based on your system, restart the kubelet service. For example:
@@ -298,7 +297,7 @@ groups:
- id: 2.2.1
text: "Ensure that the kubelet.conf file permissions are set to 644 or
more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'"
tests:
bin_op: or
test_items:
@@ -320,12 +319,12 @@ groups:
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chmod 644 $kubeletconf
chmod 644 $kubeletkubeconfig
scored: true
- id: 2.2.2
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'"
tests:
test_items:
- flag: "root:root"
@@ -336,13 +335,13 @@ groups:
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chown root:root /etc/kubernetes/kubelet.conf
chown root:root $kubeletkubeconfig
scored: true
- id: 2.2.3
text: "Ensure that the kubelet service file permissions are set to 644 or
more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletunitfile; then stat -c %a $kubeletunitfile; fi'"
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'"
tests:
bin_op: or
test_items:
@@ -364,13 +363,12 @@ groups:
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chmod 755 $kubeletunitfile
chmod 755 $kubeletsvc
scored: true
- id: 2.2.4
text: "Ensure that the kubelet service file permissions are set to 644 or
more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletunitfile; then stat -c %U:%G $kubeletunitfile; fi'"
text: "2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'"
tests:
test_items:
- flag: "root:root"
@@ -378,13 +376,13 @@ groups:
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chown root:root $kubeletunitfile
chown root:root $kubeletsvc
scored: true
- id: 2.2.5
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more
restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'"
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'"
tests:
bin_op: or
test_items:
@@ -406,11 +404,12 @@ groups:
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chmod 644 $proxyconf
chmod 644 $proxykubeconfig
scored: true
- id: 2.2.6
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'"
tests:
test_items:
- flag: "root:root"
@@ -418,7 +417,7 @@ groups:
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chown root:root $proxyconf
chown root:root $proxykubeconfig
scored: true
- id: 2.2.7

35
cfg/config.yaml
View File

@@ -24,44 +24,35 @@ master:
bins:
- "kube-apiserver"
- "hyperkube apiserver"
- "hyperkube kube-apiserver"
- "apiserver"
confs:
- /etc/kubernetes/apiserver.conf
- /etc/kubernetes/apiserver
defaultconf: /etc/kubernetes/apiserver
podspecs:
- /etc/kubernetes/manifests/kube-apiserver.yaml
defaultpodspec: /etc/kubernetes/manifests/kube-apiserver.yaml
scheduler:
bins:
- "kube-scheduler"
- "hyperkube scheduler"
- "hyperkube kube-scheduler"
- "scheduler"
confs:
- /etc/kubernetes/scheduler.conf
- /etc/kubernetes/scheduler
defaultconf: /etc/kubernetes/scheduler
podspecs:
- /etc/kubernetes/manifests/kube-scheduler.yaml
defaultpodspec: /etc/kubernetes/manifests/kube-scheduler.yaml
controllermanager:
bins:
- "kube-controller-manager"
- "hyperkube controller-manager"
- "hyperkube kube-controller-manager"
- "controller-manager"
confs:
- /etc/kubernetes/controller-manager.conf
- /etc/kubernetes/controller-manager
defaultconf: /etc/kubernetes/controller-manager
podspecs:
- /etc/kubernetes/manifests/kube-controller-manager.yaml
defaultpodspec: /etc/kubernetes/manifests/kube-controller-manager.yaml
etcd:
optional: true
bins:
@@ -70,17 +61,12 @@ master:
- /etc/etcd/etcd.conf
defaultconf: /etc/etcd/etcd.conf
podspecs:
- /etc/kubernetes/manifests/etcd.yaml
defaultpodspec: /etc/kubernetes/manifests/etcd.yaml
flanneld:
optional: true
bins:
- flanneld
defaultconf: /etc/sysconfig/flanneld
node:
components:
- kubelet
@@ -95,24 +81,19 @@ node:
bins:
- "hyperkube kubelet"
- "kubelet"
confs:
- /etc/kubernetes/kubelet.conf
- /etc/kubernetes/kubelet
defaultconf: "/etc/kubernetes/kubelet.conf"
defaultconf: "/var/lib/kubelet/config.yaml"
defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
defaultkubeconfig: "/etc/kubernetes/kubelet.conf"
unitfiles:
- /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
defaultunitfile: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
proxy:
bins:
- "kube-proxy"
- "hyperkube proxy"
- "proxy"
confs:
- /etc/kubernetes/proxy.conf
- /etc/kubernetes/proxy
- /etc/kubernetes/addons/kube-proxy-daemonset.yaml
defaultkubeconfig: "/etc/kubernetes/proxy.conf"
federated:
components:
@@ -130,5 +111,3 @@ federated:
- "hyperkube federation-controller-manager"
- "kube-federation-controller-manager"
- "federation-controller-manager"

22
cfg/ocp-3.10/config.yaml Normal file
View File

@@ -0,0 +1,22 @@
---
## Controls Files.
# These are YAML files that hold all the details for running checks.
#
## Uncomment to use different control file paths.
# masterControls: ./cfg/master.yaml
# nodeControls: ./cfg/node.yaml
# federatedControls: ./cfg/federated.yaml
master:
apiserver:
bins:
- hypershift openshift-kube-apiserver
etcd:
bins:
- openshift start etcd
node:
proxy:
bins:
- openshift start network

113
cfg/ocp-3.10/federated.yaml Normal file
View File

@@ -0,0 +1,113 @@
---
controls:
id: 3
text: "Federated Deployments"
type: "federated"
groups:
- id: 3.1
text: "Federated API Server"
checks:
- id: 3.1.1
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
type: "skip"
scored: true
- id: 3.1.2
text: "Ensure that the --basic-auth-file argument is not set (Scored)"
type: "skip"
scored: true
- id: 3.1.3
text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
type: "skip"
scored: true
- id: 3.1.4
text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
type: "skip"
scored: true
- id: 3.1.5
text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
type: "skip"
scored: true
- id: 3.1.6
text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
type: "skip"
scored: true
- id: 3.1.7
text: "Ensure that the --profiling argument is set to false (Scored)"
type: "skip"
scored: true
- id: 3.1.8
text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
type: "skip"
scored: true
- id: 3.1.9
text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
type: "skip"
scored: true
- id: 3.1.10
text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
type: "skip"
scored: true
- id: 3.1.11
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
type: "skip"
scored: true
- id: 3.1.12
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
type: "skip"
scored: true
- id: 3.1.13
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
type: "skip"
scored: true
- id: 3.1.14
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
type: "skip"
scored: true
- id: 3.1.15
text: "Ensure that the --token-auth-file parameter is not set (Scored)"
type: "skip"
scored: true
- id: 3.1.16
text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
type: "skip"
scored: true
- id: 3.1.17
text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
type: "skip"
scored: true
- id: 3.1.18
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored)"
type: "skip"
scored: true
- id: 3.1.19
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
type: "skip"
scored: true
- id: 3.2
text: "Federation Controller Manager"
checks:
- id: 3.2.1
text: "Ensure that the --profiling argument is set to false (Scored)"
type: "skip"
scored: true

1500
cfg/ocp-3.10/master.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

376
cfg/ocp-3.10/node.yaml Normal file
View File

@@ -0,0 +1,376 @@
---
controls:
id: 2
text: "Worker Node Security Configuration"
type: "node"
groups:
- id: 2.1
text: "Kubelet"
checks:
- id: 2.1.1
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
type: "skip"
scored: true
- id: 2.1.2
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
type: "skip"
scored: true
- id: 2.1.3
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
audit: "grep -A1 authorization-mode /etc/origin/node/node-config.yaml"
tests:
bin_op: or
test_items:
- flag: "authorization-mode"
set: false
- flag: "authorization-mode: Webhook"
compare:
op: has
value: "Webhook"
set: true
remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove authorization-mode under
kubeletArguments in /etc/origin/node/node-config.yaml or set it to "Webhook".
scored: true
- id: 2.1.4
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
audit: "grep -A1 client-ca-file /etc/origin/node/node-config.yaml"
tests:
test_items:
- flag: "client-ca-file"
set: false
remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove any configuration returned by the following:
grep -A1 client-ca-file /etc/origin/node/node-config.yaml
Reset to the OpenShift default.
See https://github.com/openshift/openshift-ansible/blob/release-3.10/roles/openshift_node_group/templates/node-config.yaml.j2#L65
The config file does not have this defined in kubeletArgument, but in PodManifestConfig.
scored: true
- id: 2.1.5
text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
audit: "grep -A1 read-only-port /etc/origin/node/node-config.yaml"
tests:
bin_op: or
test_items:
- flag: "read-only-port"
set: false
- flag: "read-only-port: 0"
compare:
op: has
value: "0"
set: true
remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and removed so that the OpenShift default is applied.
scored: true
- id: 2.1.6
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
audit: "grep -A1 streaming-connection-idle-timeout /etc/origin/node/node-config.yaml"
tests:
bin_op: or
test_items:
- flag: "streaming-connection-idle-timeout"
set: false
- flag: "0"
set: false
remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set the streaming-connection-timeout
value like the following in node-config.yaml.
kubeletArguments:
 streaming-connection-idle-timeout:
   - "5m"
scored: true
- id: 2.1.7
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
type: "skip"
scored: true
- id: 2.1.8
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
audit: "grep -A1 make-iptables-util-chains /etc/origin/node/node-config.yaml"
tests:
bin_op: or
test_items:
- flag: "make-iptables-util-chains"
set: false
- flag: "make-iptables-util-chains: true"
compare:
op: has
value: "true"
set: true
remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and reset make-iptables-util-chains to the OpenShift
default value of true.
scored: true
id: 2.1.9
text: "Ensure that the --keep-terminated-pod-volumeskeep-terminated-pod-volumes argument is set to false (Scored)"
audit: "grep -A1 keep-terminated-pod-volumes /etc/origin/node/node-config.yaml"
tests:
test_items:
- flag: "keep-terminated-pod-volumes: false"
compare:
op: has
value: "false"
set: true
remediation: |
Reset to the OpenShift defaults
scored: true
- id: 2.1.10
text: "Ensure that the --hostname-override argument is not set (Scored)"
type: "skip"
scored: true
- id: 2.1.11
text: "Ensure that the --event-qps argument is set to 0 (Scored)"
audit: "grep -A1 event-qps /etc/origin/node/node-config.yaml"
tests:
bin_op: or
test_items:
- flag: "event-qps"
set: false
- flag: "event-qps: 0"
compare:
op: has
value: "0"
set: true
remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml set the event-qps argument to 0 in
the kubeletArguments section of.
scored: true
- id: 2.1.12
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
audit: "grep -A1 cert-dir /etc/origin/node/node-config.yaml"
tests:
test_items:
- flag: "/etc/origin/node/certificates"
compare:
op: has
value: "/etc/origin/node/certificates"
set: true
remediation: |
Reset to the OpenShift default values.
scored: true
- id: 2.1.13
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
audit: "grep -A1 cadvisor-port /etc/origin/node/node-config.yaml"
tests:
bin_op: or
test_items:
- flag: "cadvisor-port"
set: false
- flag: "cadvisor-port: 0"
compare:
op: has
value: "0"
set: true
remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove the cadvisor-port flag
if it is set in the kubeletArguments section.
scored: true
- id: 2.1.14
text: "Ensure that the RotateKubeletClientCertificate argument is not set to false (Scored)"
audit: "grep -B1 RotateKubeletClientCertificate=true /etc/origin/node/node-config.yaml"
tests:
test_items:
- flag: "RotateKubeletClientCertificate=true"
compare:
op: has
value: "true"
set: true
remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletClientCertificate to true.
scored: true
- id: 2.1.15
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
audit: "grep -B1 RotateKubeletServerCertificate=true /etc/origin/node/node-config.yaml"
test:
test_items:
- flag: "RotateKubeletServerCertificate=true"
compare:
op: has
value: "true"
set: true
remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletServerCertificate to true.
scored: true
- id: 2.2
text: "Configuration Files"
checks:
- id: 2.2.1
text: "Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)"
audit: "stat -c %a /etc/origin/node/node.kubeconfig"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the below command on each worker node.
chmod 644 /etc/origin/node/node.kubeconfig
scored: true
- id: 2.2.2
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
tests:
test_items:
- flag: "root:root"
compare:
op: eq
value: root:root
set: true
remediation: |
Run the below command on each worker node.
chown root:root /etc/origin/node/node.kubeconfig
scored: true
- id: 2.2.3
text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)"
audit: "stat -c %a /etc/systemd/system/atomic-openshift-node.service"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the below command on each worker node.
chmod 644 /etc/systemd/system/atomic-openshift-node.service
scored: true
- id: 2.2.4
text: "Ensure that the kubelet service file ownership is set to root:root (Scored)"
audit: "stat -c %U:%G /etc/systemd/system/atomic-openshift-node.service"
tests:
test_items:
- flag: "root:root"
compare:
op: eq
value: root:root
set: true
remediation: |
Run the below command on each worker node.
chown root:root /etc/systemd/system/atomic-openshift-node.service
scored: true
- id: 2.2.5
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
audit: "stat -c %a /etc/origin/node/node.kubeconfig"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the below command on each worker node.
chmod 644 /etc/origin/node/node.kubeconfig
scored: true
- id: 2.2.6
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
tests:
test_items:
- flag: "root:root"
compare:
op: eq
value: root:root
set: true
remediation: |
Run the below command on each worker node.
chown root:root /etc/origin/node/node.kubeconfig
scored: true
- id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)"
audit: "stat -c %a /etc/origin/node/client-ca.crt"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the below command on each worker node.
chmod 644 /etc/origin/node/client-ca.crt
scored: true
- id: 2.2.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
audit: "stat -c %U:%G /etc/origin/node/client-ca.crt"
tests:
test_items:
- flag: "root:root"
compare:
op: eq
value: root:root
set: true
remediation: |
Run the below command on each worker node.
chown root:root /etc/origin/node/client-ca.crt
scored: true

48
check/check.go
View File

@@ -60,22 +60,32 @@ func handleError(err error, context string) (errmsg string) {
// Check contains information about a recommendation in the
// CIS Kubernetes 1.6+ document.
type Check struct {
ID string `yaml:"id" json:"id"`
Text string
ID string `yaml:"id" json:"test_number"`
Text string `json:"test_desc"`
Audit string `json:"omit"`
Type string `json:"type"`
Commands []*exec.Cmd `json:"omit"`
Tests *tests `json:"omit"`
Set bool `json:"omit"`
Remediation string
State
Remediation string `json:"-"`
TestInfo []string `json:"test_info"`
State `json:"status"`
ActualValue string `json:"actual_value"`
Scored bool `json:"scored"`
}
// Run executes the audit commands specified in a check and outputs
// the results.
func (c *Check) Run() {
// If check type is manual, force result to WARN.
if c.Type == "manual" {
// If check type is skip, force result to INFO
if c.Type == "skip" {
c.State = INFO
return
}
// If check type is manual or the check is not scored, force result to WARN
if c.Type == "manual" || !c.Scored {
c.State = WARN
return
}
@@ -156,15 +166,27 @@ func (c *Check) Run() {
i++
}
if errmsgs != "" {
glog.V(2).Info(errmsgs)
glog.V(3).Info(out.String())
finalOutput := c.Tests.execute(out.String())
if finalOutput != nil {
c.ActualValue = finalOutput.actualResult
if finalOutput.testResult {
c.State = PASS
} else {
c.State = FAIL
}
} else {
errmsgs += handleError(
fmt.Errorf("final output is nil"),
fmt.Sprintf("failed to run: %s\n",
c.Audit,
),
)
}
res := c.Tests.execute(out.String())
if res {
c.State = PASS
} else {
c.State = FAIL
if errmsgs != "" {
glog.V(2).Info(errmsgs)
}
}

30
check/check_test.go Normal file
View File

@@ -0,0 +1,30 @@
package check
import (
"testing"
)
func TestCheck_Run(t *testing.T) {
type TestCase struct {
check Check
Expected State
}
testCases := []TestCase{
{check: Check{Type: "manual"}, Expected: WARN},
{check: Check{Type: "skip"}, Expected: INFO},
{check: Check{Type: "", Scored: false}, Expected: WARN}, // Not scored checks with no type should be marked warn
{check: Check{Type: "", Scored: true}, Expected: WARN}, // If there are no tests in the check, warn
{check: Check{Type: "manual", Scored: false}, Expected: WARN},
{check: Check{Type: "skip", Scored: false}, Expected: INFO},
}
for _, testCase := range testCases {
testCase.check.Run()
if testCase.check.State != testCase.Expected {
t.Errorf("test failed, expected %s, actual %s\n", testCase.Expected, testCase.check.State)
}
}
}

49
check/controls.go
View File

@@ -23,26 +23,31 @@ import (
// Controls holds all controls to check for master nodes.
type Controls struct {
ID string `yaml:"id"`
Version string
Text string
Type NodeType
Groups []*Group
ID string `yaml:"id" json:"id"`
Version string `json:"version"`
Text string `json:"text"`
Type NodeType `json:"node_type"`
Groups []*Group `json:"tests"`
Summary
}
// Group is a collection of similar checks.
type Group struct {
ID string `yaml:"id"`
Text string
Checks []*Check
ID string `yaml:"id" json:"section"`
Pass int `json:"pass"`
Fail int `json:"fail"`
Warn int `json:"warn"`
Info int `json:"info"`
Text string `json:"desc"`
Checks []*Check `json:"results"`
}
// Summary is a summary of the results of control checks run.
type Summary struct {
Pass int
Fail int
Warn int
Pass int `json:"total_pass"`
Fail int `json:"total_fail"`
Warn int `json:"total_warn"`
Info int `json:"total_info"`
}
// NewControls instantiates a new master Controls object.
@@ -71,7 +76,7 @@ func NewControls(t NodeType, in []byte) (*Controls, error) {
// RunGroup runs all checks in a group.
func (controls *Controls) RunGroup(gids ...string) Summary {
g := []*Group{}
controls.Summary.Pass, controls.Summary.Fail, controls.Summary.Warn = 0, 0, 0
controls.Summary.Pass, controls.Summary.Fail, controls.Summary.Warn, controls.Info = 0, 0, 0, 0
// If no groupid is passed run all group checks.
if len(gids) == 0 {
@@ -84,7 +89,9 @@ func (controls *Controls) RunGroup(gids ...string) Summary {
if gid == group.ID {
for _, check := range group.Checks {
check.Run()
check.TestInfo = append(check.TestInfo, check.Remediation)
summarize(controls, check)
summarizeGroup(group, check)
}
g = append(g, group)
@@ -100,7 +107,7 @@ func (controls *Controls) RunGroup(gids ...string) Summary {
func (controls *Controls) RunChecks(ids ...string) Summary {
g := []*Group{}
m := make(map[string]*Group)
controls.Summary.Pass, controls.Summary.Fail, controls.Summary.Warn = 0, 0, 0
controls.Summary.Pass, controls.Summary.Fail, controls.Summary.Warn, controls.Info = 0, 0, 0, 0
// If no groupid is passed run all group checks.
if len(ids) == 0 {
@@ -112,6 +119,7 @@ func (controls *Controls) RunChecks(ids ...string) Summary {
for _, id := range ids {
if id == check.ID {
check.Run()
check.TestInfo = append(check.TestInfo, check.Remediation)
summarize(controls, check)
// Check if we have already added this checks group.
@@ -176,5 +184,20 @@ func summarize(controls *Controls, check *Check) {
controls.Summary.Fail++
case WARN:
controls.Summary.Warn++
case INFO:
controls.Summary.Info++
}
}
func summarizeGroup(group *Group, check *Check) {
switch check.State {
case PASS:
group.Pass++
case FAIL:
group.Fail++
case WARN:
group.Warn++
case INFO:
group.Info++
}
}

11
check/data
View File

@@ -17,7 +17,7 @@ groups:
- id: 1
text: "flag is not set"
tests:
test_item:
test_items:
- flag: "--basic-auth"
set: false
@@ -158,3 +158,12 @@ groups:
set: true
- id: 14
text: "check that flag some-arg is set to some-val with ':' separator"
tests:
test_items:
- flag: "some-arg"
compare:
op: eq
value: some-val
set: true

76
check/test.go
View File

@@ -49,8 +49,13 @@ type compare struct {
Value string
}
func (t *testItem) execute(s string) (result bool) {
result = false
type testOutput struct {
testResult bool
actualResult string
}
func (t *testItem) execute(s string) *testOutput {
result := &testOutput{}
match := strings.Contains(s, t.Flag)
if t.Set {
@@ -63,7 +68,7 @@ func (t *testItem) execute(s string) (result bool) {
// --flag
// somevalue
//pttn := `(` + t.Flag + `)(=)*([^\s,]*) *`
pttn := `(` + t.Flag + `)(=)*([^\s]*) *`
pttn := `(` + t.Flag + `)(=|: *)*([^\s]*) *`
flagRe := regexp.MustCompile(pttn)
vals := flagRe.FindStringSubmatch(s)
@@ -78,45 +83,57 @@ func (t *testItem) execute(s string) (result bool) {
os.Exit(1)
}
result.actualResult = strings.ToLower(flagVal)
switch t.Compare.Op {
case "eq":
result = flagVal == t.Compare.Value
value := strings.ToLower(flagVal)
// Do case insensitive comparaison for booleans ...
if value == "false" || value == "true" {
result.testResult = value == t.Compare.Value
} else {
result.testResult = flagVal == t.Compare.Value
}
case "noteq":
result = !(flagVal == t.Compare.Value)
value := strings.ToLower(flagVal)
// Do case insensitive comparaison for booleans ...
if value == "false" || value == "true" {
result.testResult = !(value == t.Compare.Value)
} else {
result.testResult = !(flagVal == t.Compare.Value)
}
case "gt":
a, b := toNumeric(flagVal, t.Compare.Value)
result = a > b
result.testResult = a > b
case "gte":
a, b := toNumeric(flagVal, t.Compare.Value)
result = a >= b
result.testResult = a >= b
case "lt":
a, b := toNumeric(flagVal, t.Compare.Value)
result = a < b
result.testResult = a < b
case "lte":
a, b := toNumeric(flagVal, t.Compare.Value)
result = a <= b
result.testResult = a <= b
case "has":
result = strings.Contains(flagVal, t.Compare.Value)
result.testResult = strings.Contains(flagVal, t.Compare.Value)
case "nothave":
result = !strings.Contains(flagVal, t.Compare.Value)
result.testResult = !strings.Contains(flagVal, t.Compare.Value)
}
} else {
result = isset
result.testResult = isset
}
} else {
notset := !match
result = notset
result.testResult = notset
}
return
return result
}
type tests struct {
@@ -124,13 +141,25 @@ type tests struct {
BinOp binOp `yaml:"bin_op"`
}
func (ts *tests) execute(s string) (result bool) {
res := make([]bool, len(ts.TestItems))
func (ts *tests) execute(s string) *testOutput {
finalOutput := &testOutput{}
for i, t := range ts.TestItems {
res[i] = t.execute(s)
// If no tests are defined return with empty finalOutput.
// This may be the case for checks of type: "skip".
if ts == nil {
return finalOutput
}
res := make([]testOutput, len(ts.TestItems))
if len(res) == 0 {
return finalOutput
}
for i, t := range ts.TestItems {
res[i] = *(t.execute(s))
}
var result bool
// If no binary operation is specified, default to AND
switch ts.BinOp {
default:
@@ -139,16 +168,19 @@ func (ts *tests) execute(s string) (result bool) {
case and, "":
result = true
for i := range res {
result = result && res[i]
result = result && res[i].testResult
}
case or:
result = false
for i := range res {
result = result || res[i]
result = result || res[i].testResult
}
}
return
finalOutput.testResult = result
finalOutput.actualResult = res[0].actualResult
return finalOutput
}
func toNumeric(a, b string) (c, d int) {

12
check/test_test.go
View File

@@ -110,10 +110,20 @@ func TestTestExecute(t *testing.T) {
controls.Groups[0].Checks[13],
"2:45 ../kubernetes/kube-apiserver --option --admission-control=Something ---audit-log-maxage=40",
},
{
// check for ':' as argument-value separator, with space between arg and val
controls.Groups[0].Checks[14],
"2:45 kube-apiserver some-arg: some-val --admission-control=Something ---audit-log-maxage=40",
},
{
// check for ':' as argument-value separator, with no space between arg and val
controls.Groups[0].Checks[14],
"2:45 kube-apiserver some-arg:some-val --admission-control=Something ---audit-log-maxage=40",
},
}
for _, c := range cases {
res := c.Tests.execute(c.str)
res := c.Tests.execute(c.str).testResult
if !res {
t.Errorf("%s, expected:%v, got:%v\n", c.Text, true, res)
}

200
cmd/common.go
View File

@@ -17,6 +17,8 @@ package cmd
import (
"fmt"
"io/ioutil"
"os"
"path/filepath"
"github.com/aquasecurity/kube-bench/check"
"github.com/golang/glog"
@@ -27,60 +29,40 @@ var (
errmsgs string
)
func runChecks(t check.NodeType) {
func runChecks(nodetype check.NodeType) {
var summary check.Summary
var file string
var err error
var typeConf *viper.Viper
switch t {
case check.MASTER:
file = masterFile
typeConf = viper.Sub("master")
case check.NODE:
file = nodeFile
typeConf = viper.Sub("node")
case check.FEDERATED:
file = federatedFile
typeConf = viper.Sub("federated")
}
// Get the set of exectuables and config files we care about on this type of node. This also
// checks that the executables we need for the node type are running.
binmap := getBinaries(typeConf)
confmap := getConfigFiles(typeConf, "conf")
podspecmap := getConfigFiles(typeConf, "podspec")
unitfilemap := getConfigFiles(typeConf, "unitfile")
switch t {
case check.MASTER:
file = masterFile
case check.NODE:
file = nodeFile
case check.FEDERATED:
file = federatedFile
}
ver := getKubeVersion()
path := fmt.Sprintf("%s/%s/%s", cfgDir, ver.Server, file)
in, err := ioutil.ReadFile(path)
def := loadConfig(nodetype)
in, err := ioutil.ReadFile(def)
if err != nil {
exitWithError(fmt.Errorf("error opening %s controls file: %v", t, err))
exitWithError(fmt.Errorf("error opening %s controls file: %v", nodetype, err))
}
glog.V(1).Info(fmt.Sprintf("Using benchmark file: %s\n", def))
// Get the set of exectuables and config files we care about on this type of node.
typeConf := viper.Sub(string(nodetype))
binmap, err := getBinaries(typeConf)
// Checks that the executables we need for the node type are running.
if err != nil {
exitWithError(err)
}
confmap := getConfigFiles(typeConf)
svcmap := getServiceFiles(typeConf)
kubeconfmap := getKubeConfigFiles(typeConf)
// Variable substitutions. Replace all occurrences of variables in controls files.
s := string(in)
s = makeSubstitutions(s, "bin", binmap)
s = makeSubstitutions(s, "conf", confmap)
s = makeSubstitutions(s, "podspec", podspecmap)
s = makeSubstitutions(s, "unitfile", unitfilemap)
s = makeSubstitutions(s, "svc", svcmap)
s = makeSubstitutions(s, "kubeconfig", kubeconfmap)
glog.V(1).Info(fmt.Sprintf("Using config file: %s\n", viper.ConfigFileUsed()))
glog.V(1).Info(fmt.Sprintf("Using benchmark file: %s\n", path))
controls, err := check.NewControls(t, []byte(s))
controls, err := check.NewControls(nodetype, []byte(s))
if err != nil {
exitWithError(fmt.Errorf("error setting up %s controls: %v", t, err))
exitWithError(fmt.Errorf("error setting up %s controls: %v", nodetype, err))
}
if groupList != "" && checkList == "" {
@@ -96,7 +78,7 @@ func runChecks(t check.NodeType) {
}
// if we successfully ran some tests and it's json format, ignore the warnings
if (summary.Fail > 0 || summary.Warn > 0 || summary.Pass > 0) && jsonFmt {
if (summary.Fail > 0 || summary.Warn > 0 || summary.Pass > 0 || summary.Info > 0) && jsonFmt {
out, err := controls.JSON()
if err != nil {
exitWithError(fmt.Errorf("failed to output in JSON format: %v", err))
@@ -104,7 +86,17 @@ func runChecks(t check.NodeType) {
fmt.Println(string(out))
} else {
prettyPrint(controls, summary)
// if we want to store in PostgreSQL, convert to JSON and save it
if (summary.Fail > 0 || summary.Warn > 0 || summary.Pass > 0 || summary.Info > 0) && pgSQL {
out, err := controls.JSON()
if err != nil {
exitWithError(fmt.Errorf("failed to output in JSON format: %v", err))
}
savePgsql(string(out))
} else {
prettyPrint(controls, summary)
}
}
}
@@ -116,41 +108,103 @@ func colorPrint(state check.State, s string) {
// prettyPrint outputs the results to stdout in human-readable format
func prettyPrint(r *check.Controls, summary check.Summary) {
colorPrint(check.INFO, fmt.Sprintf("%s %s\n", r.ID, r.Text))
for _, g := range r.Groups {
colorPrint(check.INFO, fmt.Sprintf("%s %s\n", g.ID, g.Text))
for _, c := range g.Checks {
colorPrint(c.State, fmt.Sprintf("%s %s\n", c.ID, c.Text))
}
}
fmt.Println()
// Print remediations.
if summary.Fail > 0 || summary.Warn > 0 {
colors[check.WARN].Printf("== Remediations ==\n")
// Print check results.
if !noResults {
colorPrint(check.INFO, fmt.Sprintf("%s %s\n", r.ID, r.Text))
for _, g := range r.Groups {
colorPrint(check.INFO, fmt.Sprintf("%s %s\n", g.ID, g.Text))
for _, c := range g.Checks {
if c.State != check.PASS {
fmt.Printf("%s %s\n", c.ID, c.Remediation)
}
colorPrint(c.State, fmt.Sprintf("%s %s\n", c.ID, c.Text))
}
}
fmt.Println()
}
// Print summary setting output color to highest severity.
var res check.State
if summary.Fail > 0 {
res = check.FAIL
} else if summary.Warn > 0 {
res = check.WARN
} else {
res = check.PASS
// Print remediations.
if !noRemediations {
if summary.Fail > 0 || summary.Warn > 0 {
colors[check.WARN].Printf("== Remediations ==\n")
for _, g := range r.Groups {
for _, c := range g.Checks {
if c.State == check.FAIL || c.State == check.WARN {
fmt.Printf("%s %s\n", c.ID, c.Remediation)
}
}
}
fmt.Println()
}
}
colors[res].Printf("== Summary ==\n")
fmt.Printf("%d checks PASS\n%d checks FAIL\n%d checks WARN\n",
summary.Pass, summary.Fail, summary.Warn,
)
// Print summary setting output color to highest severity.
if !noSummary {
var res check.State
if summary.Fail > 0 {
res = check.FAIL
} else if summary.Warn > 0 {
res = check.WARN
} else {
res = check.PASS
}
colors[res].Printf("== Summary ==\n")
fmt.Printf("%d checks PASS\n%d checks FAIL\n%d checks WARN\n%d checks INFO\n",
summary.Pass, summary.Fail, summary.Warn, summary.Info,
)
}
}
// loadConfig finds the correct config dir based on the kubernetes version,
// merges any specific config.yaml file found with the main config
// and returns the benchmark file to use.
func loadConfig(nodetype check.NodeType) string {
var file string
var err error
switch nodetype {
case check.MASTER:
file = masterFile
case check.NODE:
file = nodeFile
case check.FEDERATED:
file = federatedFile
}
runningVersion := ""
if kubeVersion == "" {
runningVersion, err = getKubeVersion()
if err != nil {
exitWithError(fmt.Errorf("Version check failed: %s\nAlternatively, you can specify the version with --version", err))
}
}
path, err := getConfigFilePath(kubeVersion, runningVersion, file)
if err != nil {
exitWithError(fmt.Errorf("can't find %s controls file in %s: %v", nodetype, cfgDir, err))
}
// Merge kubernetes version specific config if any.
viper.SetConfigFile(path + "/config.yaml")
err = viper.MergeInConfig()
if err != nil {
if os.IsNotExist(err) {
glog.V(2).Info(fmt.Sprintf("No version-specific config.yaml file in %s", path))
} else {
exitWithError(fmt.Errorf("couldn't read config file %s: %v", path+"/config.yaml", err))
}
} else {
glog.V(1).Info(fmt.Sprintf("Using config file: %s\n", viper.ConfigFileUsed()))
}
return filepath.Join(path, file)
}
// isMaster verify if master components are running on the node.
func isMaster() bool {
_ = loadConfig(check.MASTER)
glog.V(2).Info("Checking if the current node is running master components")
masterConf := viper.Sub(string(check.MASTER))
if _, err := getBinaries(masterConf); err != nil {
glog.V(2).Info(err)
return false
}
return true
}

60
cmd/database.go Normal file
View File

@@ -0,0 +1,60 @@
package cmd
import (
"fmt"
"os"
"time"
"github.com/golang/glog"
"github.com/jinzhu/gorm"
_ "github.com/jinzhu/gorm/dialects/postgres" // database packages get blank imports
"github.com/spf13/viper"
)
func savePgsql(jsonInfo string) {
envVars := map[string]string{
"PGSQL_HOST": viper.GetString("PGSQL_HOST"),
"PGSQL_USER": viper.GetString("PGSQL_USER"),
"PGSQL_DBNAME": viper.GetString("PGSQL_DBNAME"),
"PGSQL_SSLMODE": viper.GetString("PGSQL_SSLMODE"),
"PGSQL_PASSWORD": viper.GetString("PGSQL_PASSWORD"),
}
for k, v := range envVars {
if v == "" {
exitWithError(fmt.Errorf("environment variable %s is missing", envVarsPrefix+"_"+k))
}
}
connInfo := fmt.Sprintf("host=%s user=%s dbname=%s sslmode=%s password=%s",
envVars["PGSQL_HOST"],
envVars["PGSQL_USER"],
envVars["PGSQL_DBNAME"],
envVars["PGSQL_SSLMODE"],
envVars["PGSQL_PASSWORD"],
)
hostname, err := os.Hostname()
if err != nil {
exitWithError(fmt.Errorf("received error looking up hostname: %s", err))
}
timestamp := time.Now()
type ScanResult struct {
gorm.Model
ScanHost string `gorm:"type:varchar(63) not null"` // https://www.ietf.org/rfc/rfc1035.txt
ScanTime time.Time `gorm:"not null"`
ScanInfo string `gorm:"type:jsonb not null"`
}
db, err := gorm.Open("postgres", connInfo)
defer db.Close()
if err != nil {
exitWithError(fmt.Errorf("received error connecting to database: %s", err))
}
db.Debug().AutoMigrate(&ScanResult{})
db.Save(&ScanResult{ScanHost: hostname, ScanTime: timestamp, ScanInfo: jsonInfo})
glog.V(2).Info(fmt.Sprintf("successfully stored result to: %s", envVars["PGSQL_HOST"]))
}

45
cmd/root.go
View File

@@ -20,27 +20,42 @@ import (
"os"
"github.com/aquasecurity/kube-bench/check"
"github.com/golang/glog"
"github.com/spf13/cobra"
"github.com/spf13/viper"
)
var (
cfgDir = "./cfg"
cfgFile string
jsonFmt bool
checkList string
groupList string
masterFile string
nodeFile string
federatedFile string
envVarsPrefix = "KUBE_BENCH"
defaultKubeVersion = "1.6"
kubeVersion string
cfgFile string
cfgDir string
jsonFmt bool
pgSQL bool
checkList string
groupList string
masterFile = "master.yaml"
nodeFile = "node.yaml"
federatedFile string
noResults bool
noSummary bool
noRemediations bool
)
// RootCmd represents the base command when called without any subcommands
var RootCmd = &cobra.Command{
Use: os.Args[0],
Short: "Run CIS Benchmarks checks against a Kubernetes deployment",
Long: `This tool runs the CIS Kubernetes 1.6 Benchmark v1.0.0 checks.`,
Long: `This tool runs the CIS Kubernetes Benchmark (https://www.cisecurity.org/benchmark/kubernetes/)`,
Run: func(cmd *cobra.Command, args []string) {
if isMaster() {
glog.V(1).Info("== Running master checks ==\n")
runChecks(check.MASTER)
}
glog.V(1).Info("== Running node checks ==\n")
runChecks(check.NODE)
},
}
// Execute adds all child commands to the root command sets flags appropriately.
@@ -58,7 +73,13 @@ func Execute() {
func init() {
cobra.OnInitialize(initConfig)
// Output control
RootCmd.PersistentFlags().BoolVar(&noResults, "noresults", false, "Disable printing of results section")
RootCmd.PersistentFlags().BoolVar(&noSummary, "nosummary", false, "Disable printing of summary section")
RootCmd.PersistentFlags().BoolVar(&noRemediations, "noremediations", false, "Disable printing of remediations section")
RootCmd.PersistentFlags().BoolVar(&jsonFmt, "json", false, "Prints the results as JSON")
RootCmd.PersistentFlags().BoolVar(&pgSQL, "pgsql", false, "Save the results to PostgreSQL")
RootCmd.PersistentFlags().StringVarP(
&checkList,
"check",
@@ -74,6 +95,8 @@ func init() {
`Run all the checks under this comma-delimited list of groups. Example --group="1.1"`,
)
RootCmd.PersistentFlags().StringVar(&cfgFile, "config", "", "config file (default is ./cfg/config.yaml)")
RootCmd.PersistentFlags().StringVarP(&cfgDir, "config-dir", "D", "./cfg/", "config directory")
RootCmd.PersistentFlags().StringVar(&kubeVersion, "version", "", "Manually specify Kubernetes version, automatically detected if unset")
goflag.CommandLine.VisitAll(func(goflag *goflag.Flag) {
RootCmd.PersistentFlags().AddGoFlag(goflag)
@@ -90,7 +113,7 @@ func initConfig() {
viper.AddConfigPath(cfgDir) // adding ./cfg as first search path
}
viper.SetEnvPrefix("KUBE_BENCH")
viper.SetEnvPrefix(envVarsPrefix)
viper.AutomaticEnv() // read in environment variables that match
// If a config file is found, read it in.

228
cmd/util.go
View File

@@ -4,7 +4,9 @@ import (
"fmt"
"os"
"os/exec"
"path/filepath"
"regexp"
"strconv"
"strings"
"github.com/aquasecurity/kube-bench/check"
@@ -31,20 +33,6 @@ func init() {
statFunc = os.Stat
}
func printlnWarn(msg string) {
fmt.Fprintf(os.Stderr, "[%s] %s\n",
colors[check.WARN].Sprintf("%s", check.WARN),
msg,
)
}
func sprintlnWarn(msg string) string {
return fmt.Sprintf("[%s] %s",
colors[check.WARN].Sprintf("%s", check.WARN),
msg,
)
}
func exitWithError(err error) {
fmt.Fprintf(os.Stderr, "\n%v\n", err)
os.Exit(1)
@@ -84,8 +72,9 @@ func ps(proc string) string {
return string(out)
}
// getBinaries finds which of the set of candidate executables are running
func getBinaries(v *viper.Viper) map[string]string {
// getBinaries finds which of the set of candidate executables are running.
// It returns an error if one mandatory executable is not running.
func getBinaries(v *viper.Viper) (map[string]string, error) {
binmap := make(map[string]string)
for _, component := range v.GetStringSlice("components") {
@@ -99,7 +88,7 @@ func getBinaries(v *viper.Viper) map[string]string {
if len(bins) > 0 {
bin, err := findExecutable(bins)
if err != nil && !optional {
exitWithError(fmt.Errorf("need %s executable but none of the candidates are running", component))
return nil, fmt.Errorf("need %s executable but none of the candidates are running", component)
}
// Default the executable name that we'll substitute to the name of the component
@@ -113,13 +102,64 @@ func getBinaries(v *viper.Viper) map[string]string {
}
}
return binmap
return binmap, nil
}
// getConfigFilePath locates the config files we should be using based on either the specified
// version, or the running version of kubernetes if not specified
func getConfigFilePath(specifiedVersion string, runningVersion string, filename string) (path string, err error) {
var fileVersion string
if specifiedVersion != "" {
fileVersion = specifiedVersion
} else {
fileVersion = runningVersion
}
glog.V(2).Info(fmt.Sprintf("Looking for config for version %s", fileVersion))
for {
path = filepath.Join(cfgDir, fileVersion)
file := filepath.Join(path, string(filename))
glog.V(2).Info(fmt.Sprintf("Looking for config file: %s\n", file))
if _, err = os.Stat(file); !os.IsNotExist(err) {
if specifiedVersion == "" && fileVersion != runningVersion {
glog.V(1).Info(fmt.Sprintf("No test file found for %s - using tests for Kubernetes %s\n", runningVersion, fileVersion))
}
return path, nil
}
// If we were given an explicit version to look for, don't look for any others
if specifiedVersion != "" {
return "", err
}
fileVersion = decrementVersion(fileVersion)
if fileVersion == "" {
return "", fmt.Errorf("no test files found <= runningVersion")
}
}
}
// decrementVersion decrements the version number
// We want to decrement individually even through versions where we don't supply test files
// just in case someone wants to specify their own test files for that version
func decrementVersion(version string) string {
split := strings.Split(version, ".")
minor, err := strconv.Atoi(split[1])
if err != nil {
return ""
}
if minor <= 1 {
return ""
}
split[1] = strconv.Itoa(minor - 1)
return strings.Join(split, ".")
}
// getConfigFiles finds which of the set of candidate config files exist
// accepts a string 't' which indicates the type of config file, conf,
// podspec or untifile.
func getConfigFiles(v *viper.Viper, t string) map[string]string {
func getConfigFiles(v *viper.Viper) map[string]string {
confmap := make(map[string]string)
for _, component := range v.GetStringSlice("components") {
@@ -129,14 +169,14 @@ func getConfigFiles(v *viper.Viper, t string) map[string]string {
}
// See if any of the candidate config files exist
conf := findConfigFile(s.GetStringSlice(t + "s"))
conf := findConfigFile(s.GetStringSlice("confs"))
if conf == "" {
if s.IsSet("default" + t) {
conf = s.GetString("default" + t)
if s.IsSet("defaultconf") {
conf = s.GetString("defaultconf")
glog.V(2).Info(fmt.Sprintf("Using default config file name '%s' for component %s", conf, component))
} else {
// Default the config file name that we'll substitute to the name of the component
printlnWarn(fmt.Sprintf("Missing config file for %s", component))
glog.V(2).Info(fmt.Sprintf("Missing config file for %s", component))
conf = component
}
} else {
@@ -149,6 +189,68 @@ func getConfigFiles(v *viper.Viper, t string) map[string]string {
return confmap
}
// getServiceFiles finds which of the set of candidate service files exist
func getServiceFiles(v *viper.Viper) map[string]string {
svcmap := make(map[string]string)
for _, component := range v.GetStringSlice("components") {
s := v.Sub(component)
if s == nil {
continue
}
// See if any of the candidate config files exist
svc := findConfigFile(s.GetStringSlice("svc"))
if svc == "" {
if s.IsSet("defaultsvc") {
svc = s.GetString("defaultsvc")
glog.V(2).Info(fmt.Sprintf("Using default service file name '%s' for component %s", svc, component))
} else {
// Default the service file name that we'll substitute to the name of the component
glog.V(2).Info(fmt.Sprintf("Missing service file for %s", component))
svc = component
}
} else {
glog.V(2).Info(fmt.Sprintf("Component %s uses service file '%s'", component, svc))
}
svcmap[component] = svc
}
return svcmap
}
// getKubeConfigFiles finds which of the set of candidate kubeconfig files exist
func getKubeConfigFiles(v *viper.Viper) map[string]string {
kubeconfigmap := make(map[string]string)
for _, component := range v.GetStringSlice("components") {
s := v.Sub(component)
if s == nil {
continue
}
// See if any of the candidate config files exist
kubeconfig := findConfigFile(s.GetStringSlice("kubeconfig"))
if kubeconfig == "" {
if s.IsSet("defaultkubeconfig") {
kubeconfig = s.GetString("defaultkubeconfig")
glog.V(2).Info(fmt.Sprintf("Using default kubeconfig file name '%s' for component %s", kubeconfig, component))
} else {
// Default the service file name that we'll substitute to the name of the component
glog.V(2).Info(fmt.Sprintf("Missing service file for %s", component))
kubeconfig = component
}
} else {
glog.V(2).Info(fmt.Sprintf("Component %s uses service file '%s'", component, kubeconfig))
}
kubeconfigmap[component] = kubeconfig
}
return kubeconfigmap
}
// verifyBin checks that the binary specified is running
func verifyBin(bin string) bool {
@@ -196,9 +298,8 @@ func findExecutable(candidates []string) (string, error) {
for _, c := range candidates {
if verifyBin(c) {
return c, nil
} else {
glog.V(1).Info(fmt.Sprintf("executable '%s' not running", c))
}
glog.V(1).Info(fmt.Sprintf("executable '%s' not running", c))
}
return "", fmt.Errorf("no candidates running")
@@ -213,39 +314,66 @@ func multiWordReplace(s string, subname string, sub string) string {
return strings.Replace(s, subname, sub, -1)
}
type version struct {
Server string
Client string
}
func getKubeVersion() *version {
ver := new(version)
func getKubeVersion() (string, error) {
// These executables might not be on the user's path.
_, err := exec.LookPath("kubectl")
if err != nil {
s := fmt.Sprintf("Kubernetes version check skipped with error %v", err)
continueWithError(err, sprintlnWarn(s))
return nil
_, err = exec.LookPath("kubelet")
if err != nil {
// Search for the kubelet binary all over the filesystem and run the first match to get the kubernetes version
cmd := exec.Command("/bin/sh", "-c", "`find / -type f -executable -name kubelet 2>/dev/null | grep -m1 .` --version")
out, err := cmd.CombinedOutput()
if err == nil {
return getVersionFromKubeletOutput(string(out)), nil
}
return "", fmt.Errorf("need kubectl or kubelet binaries to get kubernetes version")
}
return getKubeVersionFromKubelet(), nil
}
cmd := exec.Command("kubectl", "version")
out, err := cmd.Output()
return getKubeVersionFromKubectl(), nil
}
func getKubeVersionFromKubectl() string {
cmd := exec.Command("kubectl", "version", "--short")
out, err := cmd.CombinedOutput()
if err != nil {
s := fmt.Sprintf("Kubernetes version check skipped, with error getting kubectl version")
continueWithError(err, sprintlnWarn(s))
return nil
continueWithError(fmt.Errorf("%s", out), "")
}
clientVerRe := regexp.MustCompile(`Client.*Major:"(\d+)".*Minor:"(\d+)"`)
svrVerRe := regexp.MustCompile(`Server.*Major:"(\d+)".*Minor:"(\d+)"`)
return getVersionFromKubectlOutput(string(out))
}
sub := clientVerRe.FindStringSubmatch(string(out))
ver.Client = sub[1] + "." + sub[2]
func getKubeVersionFromKubelet() string {
cmd := exec.Command("kubelet", "--version")
out, err := cmd.CombinedOutput()
sub = svrVerRe.FindStringSubmatch(string(out))
ver.Server = sub[1] + "." + sub[2]
if err != nil {
continueWithError(fmt.Errorf("%s", out), "")
}
return ver
return getVersionFromKubeletOutput(string(out))
}
func getVersionFromKubectlOutput(s string) string {
serverVersionRe := regexp.MustCompile(`Server Version: v(\d+.\d+)`)
subs := serverVersionRe.FindStringSubmatch(s)
if len(subs) < 2 {
glog.V(1).Info(fmt.Sprintf("Unable to get Kubernetes version from kubectl, using default version: %s", defaultKubeVersion))
return defaultKubeVersion
}
return subs[1]
}
func getVersionFromKubeletOutput(s string) string {
serverVersionRe := regexp.MustCompile(`Kubernetes v(\d+.\d+)`)
subs := serverVersionRe.FindStringSubmatch(s)
if len(subs) < 2 {
glog.V(1).Info(fmt.Sprintf("Unable to get Kubernetes version from kubelet, using default version: %s", defaultKubeVersion))
return defaultKubeVersion
}
return subs[1]
}
func makeSubstitutions(s string, ext string, m map[string]string) string {
@@ -255,7 +383,7 @@ func makeSubstitutions(s string, ext string, m map[string]string) string {
glog.V(2).Info(fmt.Sprintf("No subsitution for '%s'\n", subst))
continue
}
glog.V(1).Info(fmt.Sprintf("Substituting %s with '%s'\n", subst, v))
glog.V(2).Info(fmt.Sprintf("Substituting %s with '%s'\n", subst, v))
s = multiWordReplace(s, subst, v)
}

201
cmd/util_test.go
View File

@@ -15,9 +15,10 @@
package cmd
import (
"io/ioutil"
"os"
"path/filepath"
"reflect"
"regexp"
"strconv"
"testing"
@@ -108,38 +109,51 @@ func TestFindExecutable(t *testing.T) {
func TestGetBinaries(t *testing.T) {
cases := []struct {
config map[string]interface{}
psOut string
exp map[string]string
config map[string]interface{}
psOut string
exp map[string]string
expectErr bool
}{
{
config: map[string]interface{}{"components": []string{"apiserver"}, "apiserver": map[string]interface{}{"bins": []string{"apiserver", "kube-apiserver"}}},
psOut: "kube-apiserver",
exp: map[string]string{"apiserver": "kube-apiserver"},
config: map[string]interface{}{"components": []string{"apiserver"}, "apiserver": map[string]interface{}{"bins": []string{"apiserver", "kube-apiserver"}}},
psOut: "kube-apiserver",
exp: map[string]string{"apiserver": "kube-apiserver"},
expectErr: false,
},
{
// "thing" is not in the list of components
config: map[string]interface{}{"components": []string{"apiserver"}, "apiserver": map[string]interface{}{"bins": []string{"apiserver", "kube-apiserver"}}, "thing": map[string]interface{}{"bins": []string{"something else", "thing"}}},
psOut: "kube-apiserver thing",
exp: map[string]string{"apiserver": "kube-apiserver"},
config: map[string]interface{}{"components": []string{"apiserver"}, "apiserver": map[string]interface{}{"bins": []string{"apiserver", "kube-apiserver"}}, "thing": map[string]interface{}{"bins": []string{"something else", "thing"}}},
psOut: "kube-apiserver thing",
exp: map[string]string{"apiserver": "kube-apiserver"},
expectErr: false,
},
{
// "anotherthing" in list of components but doesn't have a defintion
config: map[string]interface{}{"components": []string{"apiserver", "anotherthing"}, "apiserver": map[string]interface{}{"bins": []string{"apiserver", "kube-apiserver"}}, "thing": map[string]interface{}{"bins": []string{"something else", "thing"}}},
psOut: "kube-apiserver thing",
exp: map[string]string{"apiserver": "kube-apiserver"},
config: map[string]interface{}{"components": []string{"apiserver", "anotherthing"}, "apiserver": map[string]interface{}{"bins": []string{"apiserver", "kube-apiserver"}}, "thing": map[string]interface{}{"bins": []string{"something else", "thing"}}},
psOut: "kube-apiserver thing",
exp: map[string]string{"apiserver": "kube-apiserver"},
expectErr: false,
},
{
// more than one component
config: map[string]interface{}{"components": []string{"apiserver", "thing"}, "apiserver": map[string]interface{}{"bins": []string{"apiserver", "kube-apiserver"}}, "thing": map[string]interface{}{"bins": []string{"something else", "thing"}}},
psOut: "kube-apiserver \nthing",
exp: map[string]string{"apiserver": "kube-apiserver", "thing": "thing"},
config: map[string]interface{}{"components": []string{"apiserver", "thing"}, "apiserver": map[string]interface{}{"bins": []string{"apiserver", "kube-apiserver"}}, "thing": map[string]interface{}{"bins": []string{"something else", "thing"}}},
psOut: "kube-apiserver \nthing",
exp: map[string]string{"apiserver": "kube-apiserver", "thing": "thing"},
expectErr: false,
},
{
// default binary to component name
config: map[string]interface{}{"components": []string{"apiserver", "thing"}, "apiserver": map[string]interface{}{"bins": []string{"apiserver", "kube-apiserver"}}, "thing": map[string]interface{}{"bins": []string{"something else", "thing"}, "optional": true}},
psOut: "kube-apiserver \notherthing some params",
exp: map[string]string{"apiserver": "kube-apiserver", "thing": "thing"},
config: map[string]interface{}{"components": []string{"apiserver", "thing"}, "apiserver": map[string]interface{}{"bins": []string{"apiserver", "kube-apiserver"}}, "thing": map[string]interface{}{"bins": []string{"something else", "thing"}, "optional": true}},
psOut: "kube-apiserver \notherthing some params",
exp: map[string]string{"apiserver": "kube-apiserver", "thing": "thing"},
expectErr: false,
},
{
// missing mandatory component
config: map[string]interface{}{"components": []string{"apiserver", "thing"}, "apiserver": map[string]interface{}{"bins": []string{"apiserver", "kube-apiserver"}}, "thing": map[string]interface{}{"bins": []string{"something else", "thing"}, "optional": true}},
psOut: "otherthing some params",
exp: map[string]string{"apiserver": "kube-apiserver", "thing": "thing"},
expectErr: true,
},
}
@@ -152,8 +166,12 @@ func TestGetBinaries(t *testing.T) {
for k, val := range c.config {
v.Set(k, val)
}
m := getBinaries(v)
if !reflect.DeepEqual(m, c.exp) {
m, err := getBinaries(v)
if c.expectErr {
if err == nil {
t.Fatal("Got nil Expected error")
}
} else if !reflect.DeepEqual(m, c.exp) {
t.Fatalf("Got %v\nExpected %v", m, c.exp)
}
})
@@ -182,19 +200,17 @@ func TestMultiWordReplace(t *testing.T) {
}
}
func TestGetKubeVersion(t *testing.T) {
ver := getKubeVersion()
if ver == nil {
t.Log("Expected non nil version info.")
} else {
if ok, err := regexp.MatchString(`\d+.\d+`, ver.Client); !ok && err != nil {
t.Logf("Expected:%v got %v\n", "n.m", ver.Client)
}
if ok, err := regexp.MatchString(`\d+.\d+`, ver.Server); !ok && err != nil {
t.Logf("Expected:%v got %v\n", "n.m", ver.Server)
}
func TestKubeVersionRegex(t *testing.T) {
ver := getVersionFromKubectlOutput(`Client Version: v1.8.0
Server Version: v1.8.12
`)
if ver != "1.8" {
t.Fatalf("Expected 1.8 got %s", ver)
}
ver = getVersionFromKubectlOutput("Something completely different")
if ver != "1.6" {
t.Fatalf("Expected 1.6 got %s", ver)
}
}
@@ -282,7 +298,82 @@ func TestGetConfigFiles(t *testing.T) {
e = c.statResults
eIndex = 0
m := getConfigFiles(v, "conf")
m := getConfigFiles(v)
if !reflect.DeepEqual(m, c.exp) {
t.Fatalf("Got %v\nExpected %v", m, c.exp)
}
})
}
}
func TestGetServiceFiles(t *testing.T) {
cases := []struct {
config map[string]interface{}
exp map[string]string
statResults []error
}{
{
config: map[string]interface{}{
"components": []string{"kubelet"},
"kubelet": map[string]interface{}{"svc": []string{"kubelet", "10-kubeadm.conf"}},
},
statResults: []error{os.ErrNotExist, nil},
exp: map[string]string{"kubelet": "10-kubeadm.conf"},
},
{
// Component "thing" isn't included in the list of components
config: map[string]interface{}{
"components": []string{"kubelet"},
"kubelet": map[string]interface{}{"svc": []string{"kubelet", "10-kubeadm.conf"}},
"thing": map[string]interface{}{"svc": []string{"/my/file/thing"}},
},
statResults: []error{os.ErrNotExist, nil},
exp: map[string]string{"kubelet": "10-kubeadm.conf"},
},
{
// More than one component
config: map[string]interface{}{
"components": []string{"kubelet", "thing"},
"kubelet": map[string]interface{}{"svc": []string{"kubelet", "10-kubeadm.conf"}},
"thing": map[string]interface{}{"svc": []string{"/my/file/thing"}},
},
statResults: []error{os.ErrNotExist, nil, nil},
exp: map[string]string{"kubelet": "10-kubeadm.conf", "thing": "/my/file/thing"},
},
{
// Default thing to specified default service
config: map[string]interface{}{
"components": []string{"kubelet", "thing"},
"kubelet": map[string]interface{}{"svc": []string{"kubelet", "10-kubeadm.conf"}},
"thing": map[string]interface{}{"svc": []string{"/my/file/thing"}, "defaultsvc": "another/thing"},
},
statResults: []error{os.ErrNotExist, nil, os.ErrNotExist},
exp: map[string]string{"kubelet": "10-kubeadm.conf", "thing": "another/thing"},
},
{
// Default thing to component name
config: map[string]interface{}{
"components": []string{"kubelet", "thing"},
"kubelet": map[string]interface{}{"svc": []string{"kubelet", "10-kubeadm.conf"}},
"thing": map[string]interface{}{"svc": []string{"/my/file/thing"}},
},
statResults: []error{os.ErrNotExist, nil, os.ErrNotExist},
exp: map[string]string{"kubelet": "10-kubeadm.conf", "thing": "thing"},
},
}
v := viper.New()
statFunc = fakestat
for id, c := range cases {
t.Run(strconv.Itoa(id), func(t *testing.T) {
for k, val := range c.config {
v.Set(k, val)
}
e = c.statResults
eIndex = 0
m := getServiceFiles(v)
if !reflect.DeepEqual(m, c.exp) {
t.Fatalf("Got %v\nExpected %v", m, c.exp)
}
@@ -309,3 +400,45 @@ func TestMakeSubsitutions(t *testing.T) {
})
}
}
func TestGetConfigFilePath(t *testing.T) {
var err error
cfgDir, err = ioutil.TempDir("", "kube-bench-test")
if err != nil {
t.Fatalf("Failed to create temp directory")
}
defer os.RemoveAll(cfgDir)
d := filepath.Join(cfgDir, "1.8")
err = os.Mkdir(d, 0666)
if err != nil {
t.Fatalf("Failed to create temp file")
}
ioutil.WriteFile(filepath.Join(d, "master.yaml"), []byte("hello world"), 0666)
cases := []struct {
specifiedVersion string
runningVersion string
succeed bool
exp string
}{
{runningVersion: "1.8", succeed: true, exp: d},
{runningVersion: "1.9", succeed: true, exp: d},
{runningVersion: "1.10", succeed: true, exp: d},
{runningVersion: "1.1", succeed: false},
{specifiedVersion: "1.8", succeed: true, exp: d},
{specifiedVersion: "1.9", succeed: false},
{specifiedVersion: "1.10", succeed: false},
}
for _, c := range cases {
t.Run(c.specifiedVersion+"-"+c.runningVersion, func(t *testing.T) {
path, err := getConfigFilePath(c.specifiedVersion, c.runningVersion, "/master.yaml")
if err != nil && c.succeed {
t.Fatalf("Error %v", err)
}
if path != c.exp {
t.Fatalf("Got %s expected %s", path, c.exp)
}
})
}
}

29
entrypoint.sh
View File

@@ -1,14 +1,19 @@
#!/bin/sh
if [ -d /host ]; then
mkdir -p /host/cfg/
yes | cp -rf ./kube-bench/cfg/* /host/cfg/
yes | cp -rf ./kube-bench/kube-bench /host/
echo "==============================================="
echo "kube-bench is now installed on your host "
echo "Run ./kube-bench to perform a security check "
echo "==============================================="
#!/bin/sh -e
if [ "$1" == "install" ]; then
if [ -d /host ]; then
mkdir -p /host/cfg/
yes | cp -rf cfg/* /host/cfg/
yes | cp -rf /usr/local/bin/kube-bench /host/
echo "==============================================="
echo "kube-bench is now installed on your host "
echo "Run ./kube-bench to perform a security check "
echo "==============================================="
else
echo "Usage:"
echo " install: docker run --rm -v \`pwd\`:/host aquasec/kube-bench install"
echo " run: docker run --rm --pid=host aquasec/kube-bench [command]"
exit
fi
else
echo "Usage:"
echo " docker run --rm -v \`pwd\`:/host aquasec/kube-bench"
exit
exec kube-bench "$@"
fi

46
hack/debug.yaml Normal file
View File

@@ -0,0 +1,46 @@
# use this pod with: kubectl run ubuntu -it --pid=host -- /bin/bash
# this allows you to debug what is running on the host.
apiVersion: v1
kind: Pod
metadata:
name: ubuntu
spec:
hostPID: true
containers:
- name: ubuntu
image: ubuntu
command: [ "/bin/bash", "-c", "--" ]
args: [ "while true; do sleep 30; done;" ]
volumeMounts:
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
- name: etc-systemd
mountPath: /etc/systemd
- name: etc-kubernetes
mountPath: /etc/kubernetes
# /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
# You can omit this mount if you specify --version as part of the command.
- name: usr-bin
mountPath: /usr/bin
- name: kind-bin
mountPath: /kind/bin
resources:
limits:
memory: "128Mi"
cpu: "500m"
volumes:
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
- name: etc-systemd
hostPath:
path: "/etc/systemd"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"
- name: usr-bin
hostPath:
path: "/usr/bin"
- name: kind-bin
hostPath:
path: "/kind/bin"

50
hack/kind.yaml Normal file
View File

@@ -0,0 +1,50 @@
apiVersion: batch/v1
kind: Job
metadata:
name: kube-bench
spec:
template:
metadata:
labels:
app: kube-bench
spec:
hostPID: true
containers:
- name: kube-bench
image: aquasec/kube-bench:${VERSION}
command: ["kube-bench"]
volumeMounts:
- name: var-lib-etcd
mountPath: /var/lib/etcd
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
- name: etc-systemd
mountPath: /etc/systemd
- name: etc-kubernetes
mountPath: /etc/kubernetes
# /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
# You can omit this mount if you specify --version as part of the command.
- name: usr-bin
mountPath: /usr/bin
- name: kind-bin
mountPath: /kind/bin
restartPolicy: Never
volumes:
- name: var-lib-etcd
hostPath:
path: "/var/lib/etcd"
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
- name: etc-systemd
hostPath:
path: "/etc/systemd"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"
- name: usr-bin
hostPath:
path: "/usr/bin"
- name: kind-bin
hostPath:
path: "/kind/bin"

0
hooks/build Normal file → Executable file
View File

BIN
images/kube-bench.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

121
images/kube-bench.svg Normal file
View File

@@ -0,0 +1,121 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 831.49597 755.90533"
height="755.90533"
width="831.49597"
xml:space="preserve"
id="svg2"
version="1.1"><metadata
id="metadata8"><rdf:RDF><cc:Work
rdf:about=""><dc:format>image/svg+xml</dc:format><dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" /></cc:Work></rdf:RDF></metadata><defs
id="defs6"><clipPath
id="clipPath22"
clipPathUnits="userSpaceOnUse"><path
id="path20"
d="M 0,566.929 H 623.622 V 0 H 0 Z" /></clipPath></defs><g
transform="matrix(1.3333333,0,0,-1.3333333,0,755.90533)"
id="g10"><g
transform="translate(314.8111,521.959)"
id="g12"><path
id="path14"
style="fill:#0ab1d5;fill-opacity:1;fill-rule:nonzero;stroke:none"
d="M 0,0 -106.784,-145.31 0,-280.384 105.477,-147.025 Z" /></g><g
id="g16"><g
clip-path="url(#clipPath22)"
id="g18"><g
transform="translate(51.8912,72.061)"
id="g24"><path
id="path26"
style="fill:#464648;fill-opacity:1;fill-rule:nonzero;stroke:none"
d="m 0,0 v 71.061 c 0,3.629 2.86,6.6 6.6,6.6 3.74,0 6.6,-2.971 6.6,-6.6 V 32.45 h 2.97 c 1.32,0 2.42,0.551 3.52,1.981 L 33.44,52.69 c 1.43,1.981 3.081,3.3 5.72,3.3 3.63,0 6.271,-2.969 6.271,-6.599 0,-1.87 -0.881,-3.411 -1.981,-4.731 L 29.59,27.5 44.44,3.96 C 45.32,2.641 45.76,1.21 45.76,0 c 0,-3.63 -2.97,-6.6 -6.6,-6.6 -2.309,0 -4.4,1.54 -5.5,3.411 L 19.8,19.25 c -0.88,1.431 -1.98,2.091 -3.52,2.091 H 13.2 L 13.2,0 C 13.2,-3.63 10.34,-6.6 6.6,-6.6 2.86,-6.6 0,-3.63 0,0" /></g><g
transform="translate(104.9547,86.8013)"
id="g28"><path
id="path30"
style="fill:#464648;fill-opacity:1;fill-rule:nonzero;stroke:none"
d="m 0,0 v 34.65 c 0,3.63 2.97,6.6 6.6,6.6 3.629,0 6.6,-2.97 6.6,-6.6 V 2.86 c 0,-8.47 3.409,-11.44 9.57,-11.44 4.73,0 9.24,2.86 11.33,4.95 v 38.28 c 0,3.63 2.97,6.6 6.6,6.6 3.63,0 6.6,-2.97 6.6,-6.6 v -50.16 c 0,-3.3 -2.53,-5.83 -5.72,-5.83 -2.97,0 -5.06,2.09 -5.72,4.95 l -0.55,2.42 C 32.12,-17.16 26.18,-21.34 18.149,-21.34 5.06,-21.34 0,-11.99 0,0" /></g><g
transform="translate(197.5084,90.4312)"
id="g32"><path
id="path34"
style="fill:#464648;fill-opacity:1;fill-rule:nonzero;stroke:none"
d="m 0,0 v 12.65 c 0,8.47 -2.971,12.54 -10.341,12.54 -4.069,0 -8.029,-2.2 -10.559,-4.839 V -7.59 c 2.53,-2.639 6.49,-4.95 10.559,-4.95 C -2.971,-12.54 0,-8.47 0,0 m -34.101,-19.14 v 71.83 c 0,3.63 2.861,6.601 6.6,6.601 3.74,0 6.601,-2.971 6.601,-6.601 V 31.57 c 3.08,3.191 8.359,6.05 14.299,6.05 13.09,0 19.8,-8.8 19.8,-23.54 V -1.319 c 0,-14.741 -6.819,-23.651 -20.13,-23.651 -6.16,0 -11.88,2.97 -14.96,6.491 l -0.66,-2.201 c -0.769,-2.53 -3.08,-4.29 -5.72,-4.29 -3.299,0 -5.83,2.75 -5.83,5.83" /></g><g
transform="translate(251.7047,102.311)"
id="g36"><path
id="path38"
style="fill:#464648;fill-opacity:1;fill-rule:nonzero;stroke:none"
d="m 0,0 c 0,9.57 -1.87,14.301 -9.9,14.301 -7.92,0 -9.9,-4.181 -9.9,-14.301 z M -33,-15.069 V 2.2 c 0,14.521 7.479,23.54 23.1,23.54 15.95,0 22.77,-8.689 22.77,-23.54 v -7.37 c 0,-2.859 -2.309,-5.17 -5.17,-5.17 h -27.5 v -5.939 c 0,-4.62 2.86,-9.13 10.89,-9.13 5.72,0 8.8,0.88 13.09,2.97 0.66,0.33 1.54,0.66 2.42,0.66 2.97,0 5.39,-2.42 5.39,-5.391 0,-2.309 -1.429,-3.96 -3.52,-5.17 -5.17,-2.97 -10.23,-4.51 -17.93,-4.51 -15.73,0 -23.54,8.25 -23.54,21.781" /></g><g
transform="translate(271.7564,99.4517)"
id="g40"><path
id="path42"
style="fill:#464648;fill-opacity:1;fill-rule:nonzero;stroke:none"
d="m 0,0 c 0,3.3 2.53,5.83 5.721,5.83 h 19.91 c 3.3,0 5.83,-2.53 5.83,-5.83 0,-3.19 -2.53,-5.72 -5.83,-5.72 H 5.721 C 2.53,-5.72 0,-3.19 0,0" /></g><g
transform="translate(345.776,90.4312)"
id="g44"><path
id="path46"
style="fill:#464648;fill-opacity:1;fill-rule:nonzero;stroke:none"
d="m 0,0 v 12.65 c 0,8.47 -2.971,12.54 -10.341,12.54 -4.069,0 -8.029,-2.2 -10.559,-4.839 V -7.59 c 2.53,-2.639 6.49,-4.95 10.559,-4.95 C -2.971,-12.54 0,-8.47 0,0 m -34.101,-19.14 v 71.83 c 0,3.63 2.861,6.601 6.6,6.601 3.74,0 6.601,-2.971 6.601,-6.601 V 31.57 c 3.08,3.191 8.359,6.05 14.299,6.05 13.09,0 19.8,-8.8 19.8,-23.54 V -1.319 c 0,-14.741 -6.819,-23.651 -20.13,-23.651 -6.16,0 -11.88,2.97 -14.96,6.491 l -0.66,-2.201 c -0.769,-2.53 -3.08,-4.29 -5.72,-4.29 -3.299,0 -5.83,2.75 -5.83,5.83" /></g><g
transform="translate(399.9723,102.311)"
id="g48"><path
id="path50"
style="fill:#464648;fill-opacity:1;fill-rule:nonzero;stroke:none"
d="m 0,0 c 0,9.57 -1.87,14.301 -9.9,14.301 -7.92,0 -9.9,-4.181 -9.9,-14.301 z M -33,-15.069 V 2.2 c 0,14.521 7.479,23.54 23.1,23.54 15.95,0 22.77,-8.689 22.77,-23.54 v -7.37 c 0,-2.859 -2.309,-5.17 -5.17,-5.17 h -27.5 v -5.939 c 0,-4.62 2.86,-9.13 10.89,-9.13 5.72,0 8.8,0.88 13.09,2.97 0.66,0.33 1.54,0.66 2.42,0.66 2.97,0 5.39,-2.42 5.39,-5.391 0,-2.309 -1.429,-3.96 -3.52,-5.17 -5.17,-2.97 -10.23,-4.51 -17.93,-4.51 -15.73,0 -23.54,8.25 -23.54,21.781" /></g><g
transform="translate(421.8512,72.061)"
id="g52"><path
id="path54"
style="fill:#464648;fill-opacity:1;fill-rule:nonzero;stroke:none"
d="m 0,0 v 50.16 c 0,3.301 2.53,5.83 5.72,5.83 2.97,0 5.06,-2.09 5.72,-4.949 l 0.55,-2.421 c 3.19,3.191 9.13,7.37 17.16,7.37 13.09,0 18.15,-9.349 18.15,-21.34 V 0 c 0,-3.63 -2.97,-6.6 -6.6,-6.6 -3.63,0 -6.599,2.97 -6.599,6.6 v 31.79 c 0,8.471 -3.411,11.44 -9.571,11.44 -4.73,0 -9.24,-2.86 -11.33,-4.95 L 13.2,0 C 13.2,-3.63 10.23,-6.6 6.6,-6.6 2.97,-6.6 0,-3.63 0,0" /></g><g
transform="translate(478.358,89.1118)"
id="g56"><path
id="path58"
style="fill:#464648;fill-opacity:1;fill-rule:nonzero;stroke:none"
d="m 0,0 v 15.29 c 0,14.52 8.36,23.649 24.31,23.649 8.36,0 14.08,-3.08 18.15,-8.029 1.21,-1.54 1.87,-2.75 1.87,-4.511 0,-3.299 -2.53,-5.83 -5.83,-5.83 -1.76,0 -3.08,0.66 -4.4,1.981 -2.75,2.75 -5.39,4.62 -9.79,4.62 -8.69,0 -11.11,-5.83 -11.11,-12.981 L 13.2,1.1 c 0,-7.151 2.75,-12.981 11.44,-12.981 4.4,0 7.04,1.87 9.79,4.62 1.32,1.321 2.31,1.981 4.29,1.981 3.3,0 5.94,-2.531 5.94,-5.83 0,-1.76 -0.66,-2.97 -1.87,-4.51 C 38.72,-20.57 33,-23.65 24.64,-23.65 8.689,-23.65 0,-14.521 0,0" /></g><g
transform="translate(530.5396,72.061)"
id="g60"><path
id="path62"
style="fill:#464648;fill-opacity:1;fill-rule:nonzero;stroke:none"
d="m 0,0 v 71.061 c 0,3.629 2.86,6.6 6.6,6.6 3.74,0 6.6,-2.971 6.6,-6.6 v -21.34 c 3.41,2.969 9.02,6.269 16.17,6.269 13.09,0 18.26,-9.349 18.26,-21.34 V 0 c 0,-3.63 -2.859,-6.6 -6.6,-6.6 -3.74,0 -6.6,2.97 -6.6,6.6 v 31.79 c 0,8.471 -3.52,11.44 -9.68,11.44 -4.729,0 -9.46,-2.86 -11.55,-4.95 V 0 C 13.2,-3.63 10.34,-6.6 6.6,-6.6 2.86,-6.6 0,-3.63 0,0" /></g><g
transform="translate(249.2096,192.0259)"
id="g64"><path
id="path66"
style="fill:#f1df36;fill-opacity:1;fill-rule:nonzero;stroke:none"
d="m 0,0 h 0.008 l 131.211,0.031 h 0.013 c 3.063,0 6.107,0.66 8.916,1.863 L 65.602,49.549 -8.531,1.7 C -5.83,0.6 -2.923,0 0,0" /></g><g
transform="translate(420.2877,374.9341)"
id="g68"><path
id="path70"
style="fill:#faaf42;fill-opacity:1;fill-rule:nonzero;stroke:none"
d="m 0,0 -105.477,-133.359 74.547,-47.655 c 3.392,1.452 6.439,3.697 8.747,6.559 l 75.104,93.431 6.686,8.317 c 1.38,1.714 2.479,3.637 3.289,5.675 0.384,0.965 0.701,1.954 0.95,2.962 z" /></g><g
transform="translate(145.3785,311.2251)"
id="g72"><path
id="path74"
style="fill:#faaf42;fill-opacity:1;fill-rule:nonzero;stroke:none"
d="m 0,0 c 0.583,-2.568 1.609,-5.036 3.054,-7.245 0.401,-0.614 0.83,-1.209 1.285,-1.783 l 81.823,-101.735 c 2.396,-2.975 5.588,-5.289 9.138,-6.736 L 169.433,-69.65 62.648,65.424 Z" /></g><g
transform="translate(179.4977,457.7324)"
id="g76"><path
id="path78"
style="fill:#9ad7ec;fill-opacity:1;fill-rule:nonzero;stroke:none"
d="m 0,0 c -2.408,-2.762 -4.144,-6.1 -4.985,-9.762 l -29.149,-126.8 c -0.65,-2.826 -0.715,-5.774 -0.239,-8.633 0.073,-0.44 0.155,-0.878 0.254,-1.312 l 62.648,65.424 z" /></g><g
transform="translate(484.1334,310.8643)"
id="g80"><path
id="path82"
style="fill:#9ad7ec;fill-opacity:1;fill-rule:nonzero;stroke:none"
d="M 0,0 C 0.837,3.378 0.913,6.943 0.131,10.337 L -29.076,137.21 c -0.791,3.437 -2.374,6.586 -4.566,9.236 L -63.846,64.07 Z" /></g><g
transform="translate(317.7506,366.4487)"
id="g84"><path
id="path86"
style="fill:#ffffff;fill-opacity:1;fill-rule:nonzero;stroke:none"
d="M 0,0 40.622,41.329 H 14.038 L -18.791,6.272 V 77.598 H -39.47 V -56.101 h 20.679 v 40.069 l 3.269,3.181 33.46,-43.25 h 27.03 z" /></g><g
transform="translate(275.7818,468.8486)"
id="g88"><path
id="path90"
style="fill:#1280c4;fill-opacity:1;fill-rule:nonzero;stroke:none"
d="m 0,0 39.028,53.109 c -0.01,0 -0.022,10e-4 -0.033,10e-4 -0.047,0 -0.094,-0.003 -0.141,-0.003 C 38.521,53.105 38.187,53.099 37.853,53.082 37.814,53.08 37.776,53.072 37.738,53.07 34.783,52.909 31.86,52.166 29.192,50.889 L -89.022,-5.593 c -2.809,-1.342 -5.266,-3.235 -7.262,-5.523 L -67.755,-92.199 0,0.03 Z" /></g><g
transform="translate(442.8853,463.2578)"
id="g92"><path
id="path94"
style="fill:#1280c4;fill-opacity:1;fill-rule:nonzero;stroke:none"
d="m 0,0 -118.288,56.48 c -3.039,1.455 -6.412,2.215 -9.785,2.22 L -22.598,-88.324 7.606,-5.947 C 5.558,-3.467 2.978,-1.422 0,0" /></g></g></g></g></svg>
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

38
job-master.yaml Normal file
View File

@@ -0,0 +1,38 @@
apiVersion: batch/v1
kind: Job
metadata:
name: kube-bench-master
spec:
template:
spec:
hostPID: true
nodeSelector:
node-role.kubernetes.io/master: ""
tolerations:
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
containers:
- name: kube-bench
image: aquasec/kube-bench:latest
command: ["kube-bench","master"]
volumeMounts:
- name: var-lib-etcd
mountPath: /var/lib/etcd
- name: etc-kubernetes
mountPath: /etc/kubernetes
# /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
# You can omit this mount if you specify --version as part of the command.
- name: usr-bin
mountPath: /usr/bin
restartPolicy: Never
volumes:
- name: var-lib-etcd
hostPath:
path: "/var/lib/etcd"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"
- name: usr-bin
hostPath:
path: "/usr/bin"

37
job-node.yaml Normal file
View File

@@ -0,0 +1,37 @@
apiVersion: batch/v1
kind: Job
metadata:
name: kube-bench-node
spec:
template:
spec:
hostPID: true
containers:
- name: kube-bench
image: aquasec/kube-bench:latest
command: ["kube-bench","node"]
volumeMounts:
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
- name: etc-systemd
mountPath: /etc/systemd
- name: etc-kubernetes
mountPath: /etc/kubernetes
# /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
# You can omit this mount if you specify --version as part of the command.
- name: usr-bin
mountPath: /usr/bin
restartPolicy: Never
volumes:
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
- name: etc-systemd
hostPath:
path: "/etc/systemd"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"
- name: usr-bin
hostPath:
path: "/usr/bin"

45
job.yaml Normal file
View File

@@ -0,0 +1,45 @@
apiVersion: batch/v1
kind: Job
metadata:
name: kube-bench
spec:
template:
metadata:
labels:
app: kube-bench
spec:
hostPID: true
containers:
- name: kube-bench
image: aquasec/kube-bench:latest
command: ["kube-bench"]
volumeMounts:
- name: var-lib-etcd
mountPath: /var/lib/etcd
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
- name: etc-systemd
mountPath: /etc/systemd
- name: etc-kubernetes
mountPath: /etc/kubernetes
# /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
# You can omit this mount if you specify --version as part of the command.
- name: usr-bin
mountPath: /usr/bin
restartPolicy: Never
volumes:
- name: var-lib-etcd
hostPath:
path: "/var/lib/etcd"
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
- name: etc-systemd
hostPath:
path: "/etc/systemd"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"
- name: usr-bin
hostPath:
path: "/usr/bin"

BIN
kb Executable file
View File

Binary file not shown.

67
makefile
View File

@@ -1,7 +1,72 @@
SOURCES := $(shell find . -name '*.go')
TARGET_OS := linux
BINARY := kube-bench
DOCKER_REGISTRY ?= aquasec
VERSION ?= $(shell git rev-parse --short=7 HEAD)
IMAGE_NAME ?= $(DOCKER_REGISTRY)/$(BINARY):$(VERSION)
TARGET_OS := linux
BUILD_OS := linux
uname := $(shell uname -s)
ifneq ($(findstring Microsoft,$(shell uname -r)),)
BUILD_OS := windows
else ifeq ($(uname),Linux)
BUILD_OS := linux
else ifeq ($(uname),Darwin)
BUILD_OS := darwin
endif
# kind cluster name to use
KIND_PROFILE ?= kube-bench
KIND_CONTAINER_NAME=$(KIND_PROFILE)-control-plane
build: kube-bench
$(BINARY): $(SOURCES)
GOOS=$(TARGET_OS) go build -o $(BINARY) .
# builds the current dev docker version
build-docker:
docker build --build-arg BUILD_DATE=$(shell date -u +"%Y-%m-%dT%H:%M:%SZ") \
--build-arg VCS_REF=$(shell git rev-parse --short HEAD) \
-t $(IMAGE_NAME) .
tests:
go test -race -timeout 30s -cover ./cmd ./check
# creates a kind cluster to be used for development.
HAS_KIND := $(shell command -v kind;)
kind-test-cluster:
ifndef HAS_KIND
go get -u sigs.k8s.io/kind
endif
@if [ -z $$(kind get clusters | grep $(KIND_PROFILE)) ]; then\
echo "Could not find $(KIND_PROFILE) cluster. Creating...";\
kind create cluster --name $(KIND_PROFILE) --image kindest/node:v1.11.3 --wait 5m;\
fi
# pushses the current dev version to the kind cluster.
kind-push:
docker save $(IMAGE_NAME) -o kube-bench.tar.gz; \
docker cp kube-bench.tar.gz $(KIND_CONTAINER_NAME):/kube-bench.tar.gz; \
docker exec $(KIND_CONTAINER_NAME) docker load -i /kube-bench.tar.gz;
-rm -f kube-bench.tar.gz
# runs the current version on kind using a job and follow logs
kind-run: KUBECONFIG = "$(shell kind get kubeconfig-path --name="$(KIND_PROFILE)")"
kind-run: ensure-stern
sed "s/\$${VERSION}/$(VERSION)/" ./hack/kind.yaml > ./hack/kind.test.yaml
-KUBECONFIG=$(KUBECONFIG) \
kubectl delete job kube-bench
KUBECONFIG=$(KUBECONFIG) \
kubectl apply -f ./hack/kind.test.yaml
KUBECONFIG=$(KUBECONFIG) \
stern -l app=kube-bench --container kube-bench
# ensures that stern is installed
HAS_STERN := $(shell command -v stern;)
ensure-stern:
ifndef HAS_STERN
curl -LO https://github.com/wercker/stern/releases/download/1.10.0/stern_$(BUILD_OS)_amd64 && \
chmod +rx ./stern_$(BUILD_OS)_amd64 && \
mv ./stern_$(BUILD_OS)_amd64 /usr/local/bin/stern
endif