adds kube-bench version to docker build hook (#524)

* Add kubeconfig location of kube-proxy for AKS

* Add job for AKS node

* Automate ca file permission check

* removed job-aks.yaml as other PRs added needed features

* fixed integration test due to merge changes

.travis.yml

@@ -15,7 +15,7 @@ before_install:
 
 script:
   - GO111MODULE=on go test ./...
-  - docker build --tag kube-bench .
+  - IMAGE_NAME=kube-bench make build-docker
   - docker run -v `pwd`:/host kube-bench install 
   - test -d cfg
   - test -f kube-bench

Dockerfile

@@ -1,9 +1,9 @@
 FROM golang:1.12 AS build
 WORKDIR /go/src/github.com/aquasecurity/kube-bench/
-ADD go.mod go.sum ./
-ADD main.go .
-ADD check/ check/
-ADD cmd/ cmd/
+COPY go.mod go.sum ./
+COPY main.go .
+COPY check/ check/
+COPY cmd/ cmd/
 ARG KUBEBENCH_VERSION
 RUN GO111MODULE=on CGO_ENABLED=0 go install -a -ldflags "-X github.com/aquasecurity/kube-bench/cmd.KubeBenchVersion=${KUBEBENCH_VERSION} -w"
 
@@ -13,8 +13,8 @@ WORKDIR /opt/kube-bench/
 # https://github.com/aquasecurity/kube-bench/issues/109
 RUN apk --no-cache add procps
 COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
-ADD entrypoint.sh .
-ADD cfg/ cfg/
+COPY entrypoint.sh .
+COPY cfg/ cfg/
 ENTRYPOINT ["./entrypoint.sh"]
 CMD ["install"]
 

cfg/cis-1.4/master.yaml

@@ -1215,7 +1215,7 @@ groups:
         set: true
     remediation: |
       [Manual test]
-      Run the below command (based on the file location on your system) on the master node. 
+      Run the below command (based on the file location on your system) on the master node.
       For example, chown -R root:root /etc/kubernetes/pki/
     scored: true
     
@@ -1243,7 +1243,7 @@ groups:
           set: true
     remediation: |
       [Manual test]
-      Run the below command (based on the file location on your system) on the master node. 
+      Run the below command (based on the file location on your system) on the master node.
       For example, chmod -R 644 /etc/kubernetes/pki/*.crt
     scored: true
     
@@ -1260,7 +1260,7 @@ groups:
           set: true
     remediation: |
       [Manual test]
-      Run the below command (based on the file location on your system) on the master node. 
+      Run the below command (based on the file location on your system) on the master node.
       For example, chmod -R 600 /etc/kubernetes/pki/*.key
     scored: true
 

cfg/cis-1.4/node.yaml

@@ -464,8 +464,25 @@ groups:
 
   - id: 2.2.7
     text: Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
-    type: manual
-    tests: {}
+    audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %a $kubeletcafile; fi'"
+    tests:
+      bin_op: or
+      test_items:
+      - flag: "644"
+        compare:
+          op: eq
+          value: "644"
+        set: true
+      - flag: "640"
+        compare:
+          op: eq
+          value: "640"
+        set: true
+      - flag: "600"
+        compare:
+          op: eq
+          value: "600"
+        set: true
     remediation: |
       Run the following command to modify the file permissions of the --client-ca-file
       chmod 644 <filename>

cfg/config.yaml

@@ -135,7 +135,8 @@ node:
       - /etc/kubernetes/addons/kube-proxy-daemonset.yaml
       - /var/snap/kube-proxy/current/args
     kubeconfig:
-      - /etc/kubernetes/kubelet-kubeconfig
+      - "/etc/kubernetes/kubelet-kubeconfig"
+      - "/var/lib/kubelet/kubeconfig"
     svc:
       - "/lib/systemd/system/kube-proxy.service"
     defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml

hooks/build

@@ -3,4 +3,5 @@
 # $IMAGE_NAME var is injected into the build so the tag is correct. 
 docker build --build-arg BUILD_DATE=`date -u +"%Y-%m-%dT%H:%M:%SZ"` \
              --build-arg VCS_REF=`git rev-parse --short HEAD` \
+             --build-arg KUBEBENCH_VERSION=`git describe --tags --abbrev=0` \
              -t $IMAGE_NAME .

integration/testdata/job-master.data

@@ -304,15 +304,15 @@ Run the below command (based on the etcd data directory found above). For exampl
 chown etcd:etcd /var/lib/etcd
 
 1.4.19 [Manual test]
-Run the below command (based on the file location on your system) on the master node. 
+Run the below command (based on the file location on your system) on the master node.
 For example, chown -R root:root /etc/kubernetes/pki/
 
 1.4.20 [Manual test]
-Run the below command (based on the file location on your system) on the master node. 
+Run the below command (based on the file location on your system) on the master node.
 For example, chmod -R 644 /etc/kubernetes/pki/*.crt
 
 1.4.21 [Manual test]
-Run the below command (based on the file location on your system) on the master node. 
+Run the below command (based on the file location on your system) on the master node.
 For example, chmod -R 600 /etc/kubernetes/pki/*.key
 
 1.5.1 Follow the etcd service documentation and configure TLS encryption.

integration/testdata/job-node.data

@@ -21,7 +21,7 @@
 [PASS] 2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)
 [FAIL] 2.2.5 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
 [FAIL] 2.2.6 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
-[WARN] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
+[PASS] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
 [PASS] 2.2.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)
 [PASS] 2.2.9 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
 [PASS] 2.2.10 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
@@ -81,12 +81,9 @@ chmod 644 /etc/kubernetes/proxy.conf
 node. For example,
 chown root:root /etc/kubernetes/proxy.conf
 
-2.2.7 Run the following command to modify the file permissions of the --client-ca-file
-chmod 644 <filename>
-
 
 == Summary ==
-15 checks PASS
+16 checks PASS
 7 checks FAIL
-1 checks WARN
+0 checks WARN
 1 checks INFO

integration/testdata/job.data

@@ -304,15 +304,15 @@ Run the below command (based on the etcd data directory found above). For exampl
 chown etcd:etcd /var/lib/etcd
 
 1.4.19 [Manual test]
-Run the below command (based on the file location on your system) on the master node. 
+Run the below command (based on the file location on your system) on the master node.
 For example, chown -R root:root /etc/kubernetes/pki/
 
 1.4.20 [Manual test]
-Run the below command (based on the file location on your system) on the master node. 
+Run the below command (based on the file location on your system) on the master node.
 For example, chmod -R 644 /etc/kubernetes/pki/*.crt
 
 1.4.21 [Manual test]
-Run the below command (based on the file location on your system) on the master node. 
+Run the below command (based on the file location on your system) on the master node.
 For example, chmod -R 600 /etc/kubernetes/pki/*.key
 
 1.5.1 Follow the etcd service documentation and configure TLS encryption.
@@ -447,7 +447,7 @@ Create a PSP as described in the Kubernetes documentation, ensuring that the .sp
 [PASS] 2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)
 [FAIL] 2.2.5 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
 [FAIL] 2.2.6 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
-[WARN] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
+[PASS] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
 [PASS] 2.2.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)
 [PASS] 2.2.9 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
 [PASS] 2.2.10 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
@@ -507,12 +507,9 @@ chmod 644 /etc/kubernetes/proxy.conf
 node. For example,
 chown root:root /etc/kubernetes/proxy.conf
 
-2.2.7 Run the following command to modify the file permissions of the --client-ca-file
-chmod 644 <filename>
-
 
 == Summary ==
-15 checks PASS
+16 checks PASS
 7 checks FAIL
-1 checks WARN
+0 checks WARN
 1 checks INFO