diff --git a/cfg/config.yaml b/cfg/config.yaml
index dcce7bad4020392873eb406e0711368476ca02a3..c8c89c9b647eeae87b84207b06a20f4386b309f2 100644
--- a/cfg/config.yaml
+++ b/cfg/config.yaml
@@ -7,11 +7,106 @@
# nodeControls: ./cfg/node.yaml
# federatedControls: ./cfg/federated.yaml
-## Configuration Directories.
-# Specifies the directories to look for configuration files
-# for the kubernetes components.
-#
-## Uncomment to use different paths.
-# kubeConfDir: /etc/kubernetes
-# etcdConfDir: /etc/etcd
-# flanneldConfDir: /etc/sysconfig
+## Support components
+etcd:
+ bin: etcd
+ conf: /etc/etcd/etcd.conf
+
+flanneld:
+ bin: flanneld
+ conf: /etc/sysconfig/flanneld
+
+# Installation
+# Configure kubernetes component binaries and paths to their configuration files.
+installation:
+ default:
+ config: /etc/kubernetes/config
+ master:
+ bin:
+ apiserver: apiserver
+ scheduler: scheduler
+ controller-manager: controller-manager
+ conf:
+ apiserver: /etc/kubernetes/apiserver
+ scheduler: /etc/kubernetes/scheduler
+ controller-manager: /etc/kubernetes/apiserver
+ node:
+ bin:
+ kubelet: kubelet
+ proxy: proxy
+ conf:
+ kubelet: /etc/kubernetes/kubelet
+ proxy: /etc/kubernetes/proxy
+ federated:
+ bin:
+ apiserver: federation-apiserver
+ controller-manager: federation-controller-manager
+
+ kops:
+ config: /etc/kubernetes/config
+ master:
+ bin:
+ apiserver: apiserver
+ scheduler: scheduler
+ controller-manager: controller-manager
+ conf:
+ apiserver: /etc/kubernetes/apiserver
+ scheduler: /etc/kubernetes/scheduler
+ controller-manager: /etc/kubernetes/apiserver
+ node:
+ bin:
+ kubelet: kubelet
+ proxy: proxy
+ conf:
+ kubelet: /etc/kubernetes/kubelet
+ proxy: /etc/kubernetes/proxy
+ federated:
+ bin:
+ apiserver: federation-apiserver
+ controller-manager: federation-controller-manager
+
+ hyperkube:
+ config: /etc/kubernetes/config
+ master:
+ bin:
+ apiserver: hyperkube apiserver
+ scheduler: hyperkube scheduler
+ controller-manager: hyperkube controller-manager
+ conf:
+ apiserver: /etc/kubernetes/apiserver
+ scheduler: /etc/kubernetes/scheduler
+ controller-manager: /etc/kubernetes/apiserver
+ node:
+ bin:
+ kubelet: hyperkube kubelet
+ proxy: hyperkube proxy
+ conf:
+ kubelet: /etc/kubernetes/kubelet
+ proxy: /etc/kubernetes/proxy
+ federated:
+ bin:
+ apiserver: hyperkube federation-apiserver
+ controller-manager: hyperkube federation-controller-manager
+
+ kubeadm:
+ config: /etc/kubernetes/config
+ master:
+ bin:
+ apiserver: kube-apiserver
+ scheduler: kube-scheduler
+ controller-manager: kube-controller-manager
+ conf:
+ apiserver: /etc/kubernetes/admin.conf
+ scheduler: /etc/kubernetes/scheduler.conf
+ controller-manager: /etc/kubernetes/controller-manager.conf
+ node:
+ bin:
+ kubelet: kubelet
+ proxy: kube-proxy
+ conf:
+ kubelet: /etc/kubernetes/kubelet.conf
+ proxy: /etc/kubernetes/proxy.conf
+ federated:
+ bin:
+ apiserver: kube-federation-apiserver
+ controller-manager: kube-federation-controller-manager
diff --git a/cfg/federated.yaml b/cfg/federated.yaml
index 87e8054c2d5801598e104a11b0f1823c0c168171..fbff661942cf0fb42b66939e8584b3212fb26e52 100644
--- a/cfg/federated.yaml
+++ b/cfg/federated.yaml
@@ -9,7 +9,7 @@ groups:
checks:
- id: 3.1.1
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
- audit: "ps -ef | grep $federationApiserver | grep -v grep"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests:
test_items:
- flag: "--anonymous-auth"
@@ -23,7 +23,7 @@ groups:
- id: 3.1.2
text: "Ensure that the --basic-auth-file argument is not set (Scored)"
- audit: "ps -ef | grep $federationApiserver | grep -v grep"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests:
test_items:
- flag: "--basic-auth-file"
@@ -35,7 +35,7 @@ groups:
- id: 3.1.3
text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
- audit: "ps -ef | grep $federationApiserver | grep -v grep"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests:
test_items:
- flag: "--insecure-allow-any-token"
@@ -46,7 +46,7 @@ groups:
- id: 3.1.4
text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
- audit: "ps -ef | grep $federationApiserver | grep -v grep"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests:
test_items:
- flag: "--insecure-bind-address"
@@ -57,7 +57,7 @@ groups:
- id: 3.1.5
text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
- audit: "ps -ef | grep $federationApiserver | grep -v grep"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests:
test_items:
- flag: "--insecure-port"
@@ -71,7 +71,7 @@ groups:
- id: 3.1.6
text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
- audit: "ps -ef | grep $federationApiserver | grep -v grep"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -88,7 +88,7 @@ groups:
- id: 3.1.7
text: "Ensure that the --profiling argument is set to false (Scored)"
- audit: "ps -ef | grep $federationApiserver | grep -v grep"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests:
test_items:
- flag: "--profiling"
@@ -102,7 +102,7 @@ groups:
- id: 3.1.8
text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
- audit: "ps -ef | grep $federationApiserver | grep -v grep"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests:
test_items:
- flag: "--admission-control"
@@ -117,7 +117,7 @@ groups:
- id: 3.1.9
text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
- audit: "ps -ef | grep $federationApiserver | grep -v grep"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests:
test_items:
- flag: "admission-control"
@@ -131,7 +131,7 @@ groups:
- id: 3.1.10
text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $federationApiserver | grep -v grep"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-log-path"
@@ -142,7 +142,7 @@ groups:
- id: 3.1.11
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
- audit: "ps -ef | grep $federationApiserver | grep -v grep"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-log-maxage"
@@ -156,7 +156,7 @@ groups:
- id: 3.1.12
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
- audit: "ps -ef | grep $federationApiserver | grep -v grep"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-log-maxbackup"
@@ -170,7 +170,7 @@ groups:
- id: 3.1.13
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
- audit: "ps -ef | grep $federationApiserver | grep -v grep"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-log-maxsize"
@@ -184,7 +184,7 @@ groups:
- id: 3.1.14
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
- audit: "ps -ef | grep $federationApiserver | grep -v grep"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests:
test_items:
- flag: "--authorization-mode"
@@ -198,7 +198,7 @@ groups:
- id: 3.1.15
text: "Ensure that the --token-auth-file parameter is not set (Scored)"
- audit: "ps -ef | grep $federationApiserver | grep -v grep"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests:
test_items:
- flag: "--token-auth-file"
@@ -210,7 +210,7 @@ groups:
- id: 3.1.16
text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
- audit: "ps -ef | grep $federationApiserver | grep -v grep"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests:
test_items:
- flag: "--service-account-lookup"
@@ -224,7 +224,7 @@ groups:
- id: 3.1.17
text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $federationApiserver | grep -v grep"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests:
test_items:
- flag: "--service-account-key-file"
@@ -235,7 +235,7 @@ groups:
- id: 3.1.18
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored"
- audit: "ps -ef | grep $federationApiserver | grep -v grep"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests:
bin_op: and
test_items:
@@ -252,7 +252,7 @@ groups:
- id: 3.1.19
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
- audit: "ps -ef | grep $federationApiserver | grep -v grep"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests:
bin_op: and
test_items:
@@ -271,7 +271,7 @@ groups:
checks:
- id: 3.2.1
text: "Ensure that the --profiling argument is set to false (Scored)"
- audit: "ps -ef | grep $federationControllerManager | grep -v grep"
+ audit: "ps -ef | grep $fedcontrollermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--profiling"
diff --git a/cfg/master.yaml b/cfg/master.yaml
index f24b342d9eea3ccb158a4051a35ec4ea8e256774..50b77a9894a8f1916ee0f05abe761195344174f1 100644
--- a/cfg/master.yaml
+++ b/cfg/master.yaml
@@ -9,7 +9,7 @@ groups:
checks:
- id: 1.1.1
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "allow-privileged"
@@ -17,13 +17,13 @@ groups:
op: eq
value: false
set: true
- remediation: "Edit the $apiserverConf file on the master node and set
+ remediation: "Edit the $apiserverconf file on the master node and set
the KUBE_ALLOW_PRIV parameter to \"--allow-privileged=false\""
scored: true
- id: 1.1.2
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--anonymous-auth"
@@ -31,37 +31,37 @@ groups:
op: eq
value: false
set: true
- remediation: "Edit the $apiserverConf file on the master node and set
+ remediation: "Edit the $apiserverconf file on the master node and set
the KUBE_API_ARGS parameter to \"--anonymous-auth=false\""
scored: true
- id: 1.1.3
text: "Ensure that the --basic-auth-file argument is not set (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--basic-auth-file"
set: false
remediation: "Follow the documentation and configure alternate mechanisms for
- authentication. Then, edit the $apiserverConf file on the master
+ authentication. Then, edit the $apiserverconf file on the master
node and remove the \"--basic-auth-file=<filename>\" argument from the
KUBE_API_ARGS parameter."
scored: true
- id: 1.1.4
text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--insecure-allow-any-token"
set: false
- remediation: "Edit the $apiserverConf file on the master node and remove
+ remediation: "Edit the $apiserverconf file on the master node and remove
the --insecure-allow-any-token argument from the KUBE_API_ARGS parameter."
scored: true
- id: 1.1.5
text: "Ensure that the --kubelet-https argument is set to true (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -72,24 +72,24 @@ groups:
set: true
- flag: "--kubelet-https"
set: false
- remediation: "Edit the $apiserverConf file on the master node and remove
+ remediation: "Edit the $apiserverconf file on the master node and remove
the --kubelet-https argument from the KUBE_API_ARGS parameter."
scored: true
- id: 1.1.6
text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--insecure-bind-address"
set: false
- remediation: "Edit the $apiserverConf file on the master node and remove
+ remediation: "Edit the $apiserverconf file on the master node and remove
the --insecure-bind-address argument from the KUBE_API_ADDRESS parameter."
scored: true
- id: 1.1.7
text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--insecure-port"
@@ -97,13 +97,13 @@ groups:
op: eq
value: 0
set: true
- remediation: "Edit the $apiserverConf file on the master node and set
+ remediation: "Edit the $apiserverconf file on the master node and set
--insecure-port=0 in the KUBE_API_PORT parameter."
scored: true
- id: 1.1.8
text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -114,14 +114,14 @@ groups:
set: true
- flag: "--secure-port"
set: false
- remediation: "Edit the $apiserverConf file on the master node and either
+ remediation: "Edit the $apiserverconf file on the master node and either
remove the --secure-port argument from the KUBE_API_ARGS parameter or set
it to a different desired port."
scored: true
- id: 1.1.9
text: "Ensure that the --profiling argument is set to false (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--profiling"
@@ -129,13 +129,13 @@ groups:
op: eq
value: false
set: true
- remediation: "Edit the $apiserverConf file on the master node and set the
+ remediation: "Edit the $apiserverconf file on the master node and set the
KUBE_API_ARGS parameter to \"--profiling=false\""
scored: true
- id: 1.1.10
text: "Ensure that the --repair-malformed-updates argument is set to false (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--repair-malformed-updates"
@@ -143,13 +143,13 @@ groups:
op: eq
value: false
set: true
- remediation: "Edit the $apiserverConf file on the master node and set the
+ remediation: "Edit the $apiserverconf file on the master node and set the
KUBE_API_ARGS parameter to \"--repair-malformed-updates=false\""
scored: true
- id: 1.1.11
text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--admission-control"
@@ -157,13 +157,13 @@ groups:
op: nothave
value: AlwaysAdmit
set: true
- remediation: "Edit the $apiserverConf file on the master node and set the
+ remediation: "Edit the $apiserverconf file on the master node and set the
KUBE_ADMISSION_CONTROL parameter to a value that does not include AlwaysAdmit"
scored: true
- id: 1.1.12
text: "Ensure that the admission control policy is set to AlwaysPullImages (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--admission-control"
@@ -171,13 +171,13 @@ groups:
op: has
value: "AlwaysPullImages"
set: true
- remediation: "Edit the $apiserverConf file on the master node and set the
+ remediation: "Edit the $apiserverconf file on the master node and set the
KUBE_ADMISSION_CONTROL parameter to \"--admission-control=...,AlwaysPullImages,...\""
scored: true
- id: 1.1.13
text: "Ensure that the admission control policy is set to DenyEscalatingExec (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--admission-control"
@@ -185,13 +185,13 @@ groups:
op: has
value: "DenyEscalatingExec"
set: true
- remediation: "Edit the $apiserverConf file on the master node and set the
+ remediation: "Edit the $apiserverconf file on the master node and set the
KUBE_ADMISSION_CONTROL parameter to \"--admission-control=...,DenyEscalatingExec,...\""
scored: true
- id: 1.1.14
text: "Ensure that the admission control policy is set to SecurityContextDeny (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--admission-control"
@@ -199,13 +199,13 @@ groups:
op: has
value: "SecurityContextDeny"
set: true
- remediation: "Edit the $apiserverConf file on the master node and set the
+ remediation: "Edit the $apiserverconf file on the master node and set the
KUBE_ADMISSION_CONTROL parameter to \"--admission-control=...,SecurityContextDeny,...\""
scored: true
- id: 1.1.15
text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "admission-control"
@@ -213,24 +213,24 @@ groups:
op: has
value: "NamespaceLifecycle"
set: true
- remediation: "Edit the $apiserverConf file on the master node and set the
+ remediation: "Edit the $apiserverconf file on the master node and set the
KUBE_ADMISSION_CONTROL parameter to \"--admission-control=NamespaceLifecycle,...\""
scored: true
- id: 1.1.16
text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-log-path"
set: true
- remediation: "Edit the $apiserverConf file on the master node and set the
+ remediation: "Edit the $apiserverconf file on the master node and set the
KUBE_API_ARGS parameter to \"--audit-log-path=<filename>\""
scored: true
- id: 1.1.17
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-log-maxage"
@@ -238,13 +238,13 @@ groups:
op: gte
value: 30
set: true
- remediation: "Edit the $apiserverConf file on the master node and set the
+ remediation: "Edit the $apiserverconf file on the master node and set the
KUBE_API_ARGS parameter to \"--audit-log-maxage=30\""
scored: true
- id: 1.1.18
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-log-maxbackup"
@@ -252,13 +252,13 @@ groups:
op: gte
value: 10
set: true
- remediation: "Edit the $apiserverConf file on the master node and set the
+ remediation: "Edit the $apiserverconf file on the master node and set the
KUBE_API_ARGS parameter to \"--audit-log-maxbackup=10\""
scored: true
- id: 1.1.19
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-log-maxsize"
@@ -266,13 +266,13 @@ groups:
op: gte
value: 100
set: true
- remediation: "Edit the $apiserverConf file on the master node and set the
+ remediation: "Edit the $apiserverconf file on the master node and set the
KUBE_API_ARGS parameter to \"--audit-log-maxsize=100\""
scored: true
- id: 1.1.20
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--authorization-mode"
@@ -280,38 +280,38 @@ groups:
op: nothave
value: "AlwaysAllow"
set: true
- remediation: "Edit the $apiserverConf file on the master node and set the
+ remediation: "Edit the $apiserverconf file on the master node and set the
KUBE_API_ARGS parameter to values other than \"--authorization-mode=AlwaysAllow\""
scored: true
- id: 1.1.21
text: "Ensure that the --token-auth-file parameter is not set (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--token-auth-file"
set: false
remediation: "Follow the documentation and configure alternate mechanisms for authentication.
- Then, edit the $apiserverConf file on the master node and remove the
+ Then, edit the $apiserverconf file on the master node and remove the
\"--tokenauth-file=<filename>\" argument from the KUBE_API_ARGS parameter."
scored: true
- id: 1.1.22
text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--kubelet-certificate-authority"
set: true
remediation: "Follow the Kubernetes documentation and setup the TLS connection between
- the apiserver and kubelets. Then, edit the $apiserverConf file on the
+ the apiserver and kubelets. Then, edit the $apiserverconf file on the
master node and set the KUBE_API_ARGS parameter to
\"--kubelet-certificate-authority=<ca-string>\""
scored: true
- id: 1.1.23
text: "Ensure that the --kubelet-client-certificate and --kubelet-clientkey arguments are set as appropriate (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: and
test_items:
@@ -320,14 +320,14 @@ groups:
- flag: "--kubelet-client-key"
set: true
remediation: "Follow the Kubernetes documentation and set up the TLS connection between the apiserver
- and kubelets. Then, edit the $apiserverConf file on the master node and set the
+ and kubelets. Then, edit the $apiserverconf file on the master node and set the
KUBE_API_ARGS parameter to \"--kubelet-clientcertificate=<path/to/client-certificate-file>\"
and \"--kubelet-clientkey=<path/to/client-key-file>\""
scored: true
- id: 1.1.24
text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--service-account-lookup"
@@ -335,13 +335,13 @@ groups:
op: eq
value: true
set: true
- remediation: "Edit the $apiserverConf file on the master node and set the KUBE_API_ARGS parameter
+ remediation: "Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS parameter
to \"--service-account-lookup=true\""
scored: true
- id: 1.1.25
text: "Ensure that the admission control policy is set to PodSecurityPolicy (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--admission-control"
@@ -350,24 +350,24 @@ groups:
value: "PodSecurityPolicy"
set: true
remediation: "Follow the documentation and create Pod Security Policy objects as per your environment.
- Then, edit the $apiserverConf file on the master node and set the KUBE_ADMISSION_CONTROL
+ Then, edit the $apiserverconf file on the master node and set the KUBE_ADMISSION_CONTROL
parameter to \"--admission-control=...,PodSecurityPolicy,...\""
scored: true
- id: 1.1.26
text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--service-account-key-file"
set: true
- remediation: "Edit the $apiserverConf file on the master node and set the KUBE_API_ARGS
+ remediation: "Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
parameter to \"--service-account-key-file=<filename>\""
scored: true
- id: 1.1.27
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: and
test_items:
@@ -376,14 +376,14 @@ groups:
- flag: "--etcd-keyfile"
set: true
remediation: "Follow the Kubernetes documentation and set up the TLS connection between the apiserver
- and etcd. Then, edit the $apiserverConf file on the master node and set the
+ and etcd. Then, edit the $apiserverconf file on the master node and set the
KUBE_API_ARGS parameter to include \"--etcd-certfile=<path/to/clientcertificate-file>\"
and \"--etcd-keyfile=<path/to/client-key-file>\""
scored: true
- id: 1.1.28
text: "Ensure that the admission control policy is set to ServiceAccount (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--admission-control"
@@ -392,13 +392,13 @@ groups:
value: "ServiceAccount"
set: true
remediation: "Follow the documentation and create ServiceAccount objects as per your environment.
- Then, edit the $apiserverConf file on the master node and set the
+ Then, edit the $apiserverconf file on the master node and set the
KUBE_ADMISSION_CONTROL parameter to \"--admissioncontrol=...,ServiceAccount,...\""
scored: true
- id: 1.1.29
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: and
test_items:
@@ -407,32 +407,32 @@ groups:
- flag: "--tls-private-key-file"
set: true
remediation: "Follow the Kubernetes documentation and set up the TLS connection on the apiserver.
- Then, edit the $apiserverConf file on the master node and set the KUBE_API_ARGS parameter to
+ Then, edit the $apiserverconf file on the master node and set the KUBE_API_ARGS parameter to
include \"--tls-cert-file=<path/to/tls-certificatefile>\" and
\"--tls-private-key-file=<path/to/tls-key-file>\""
scored: true
- id: 1.1.30
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--client-ca-file"
set: true
remediation: "Follow the Kubernetes documentation and set up the TLS connection on the apiserver.
- Then, edit the $apiserverConf file on the master node and set the
+ Then, edit the $apiserverconf file on the master node and set the
KUBE_API_ARGS parameter to include \"--client-ca-file=<path/to/client-ca-file>\""
scored: true
- id: 1.1.31
text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $kubeApiserver | grep -v grep"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--etcd-cafile"
set: true
remediation: "Follow the Kubernetes documentation and set up the TLS connection between the apiserver
- and etcd. Then, edit the $apiserverConf file on the master node and set the
+ and etcd. Then, edit the $apiserverconf file on the master node and set the
KUBE_API_ARGS parameter to include \"--etcd-cafile=<path/to/ca-file>\""
scored: true
@@ -441,7 +441,7 @@ groups:
checks:
- id: 1.2.1
text: "Ensure that the --profiling argument is set to false (Scored)"
- audit: "ps -ef | grep $kubeScheduler | grep -v grep"
+ audit: "ps -ef | grep $schedulerbin | grep -v grep"
tests:
test_items:
- flag: "--profiling"
@@ -449,7 +449,7 @@ groups:
op: eq
value: false
set: true
- remediation: "Edit the $schedulerConf file on the master node and set the KUBE_SCHEDULER_ARGS
+ remediation: "Edit the $schedulerconf file on the master node and set the KUBE_SCHEDULER_ARGS
parameter to \"--profiling=false\""
scored: true
@@ -458,18 +458,18 @@ groups:
checks:
- id: 1.3.1
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $kubeControllerManager | grep -v grep"
+ audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--terminated-pod-gc-threshold"
set: true
- remediation: "Edit the $controllerManagerConf file on the master node and set the
+ remediation: "Edit the $controllermanagerconf file on the master node and set the
KUBE_CONTROLLER_MANAGER_ARGS parameter to \"--terminated-pod-gcthreshold=<appropriate-number>\""
scored: true
- id: 1.3.2
text: "Ensure that the --profiling argument is set to false (Scored)"
- audit: "ps -ef | grep $kubeControllerManager | grep -v grep"
+ audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--profiling"
@@ -477,25 +477,25 @@ groups:
op: eq
value: false
set: true
- remediation: "Edit the $controllerManagerConf file on the master node and set the
+ remediation: "Edit the $controllermanagerconf file on the master node and set the
KUBE_CONTROLLER_MANAGER_ARGS parameter to \"--profiling=false\""
scored: true
- id: 1.3.3
text: "Ensure that the --insecure-experimental-approve-all-kubelet-csrs-for-group argument is not set (Scored)"
- audit: "ps -ef | grep $kubeControllerManager | grep -v grep"
+ audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--insecure-experimental-approve-all-kubelet-csrs-for-group"
set: false
- remediation: "Edit the $controllerManagerConf file on the master node and remove
+ remediation: "Edit the $controllermanagerconf file on the master node and remove
the -insecure-experimental-approve-all-kubelet-csrs-for-group argument from the
KUBE_CONTROLLER_MANAGER_ARGS parameter"
scored: true
- id: 1.3.4
text: "Ensure that the --use-service-account-credentials argument is set"
- audit: "ps -ef | grep $kubeControllerManager | grep -v grep"
+ audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--use-service-account-credentials"
@@ -503,29 +503,29 @@ groups:
op: eq
value: true
set: true
- remediation: "Edit the $controllerManagerConf file on the master node and set the
+ remediation: "Edit the $controllermanagerconf file on the master node and set the
KUBE_CONTROLLER_MANAGER_ARGS parameter to --use-service-account-credentials=true"
scored: true
- id: 1.3.5
text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $kubeControllerManager | grep -v grep"
+ audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--service-account-private-key-file"
set: true
- remediation: "Edit the $controllerManagerConf file on the master node and set the
+ remediation: "Edit the $controllermanagerconf file on the master node and set the
KUBE_CONTROLLER_MANAGER_ARGS parameter to --service-account-private-keyfile=<filename>"
scored: true
- id: 1.3.6
text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $kubeControllerManager | grep -v grep"
+ audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--root-ca-file"
set: true
- remediation: "Edit the $controllerManagerConf file on the master node and set the
+ remediation: "Edit the $controllermanagerconf file on the master node and set the
KUBE_CONTROLLER_MANAGER_ARGS parameter to include --root-ca-file=<file>"
scored: true
@@ -534,124 +534,124 @@ groups:
checks:
- id: 1.4.1
text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)"
- audit: "if test -e $apiserverConf; then stat -c %a $apiserverConf; fi"
+ audit: "if test -e $apiserverconf; then stat -c %a $apiserverconf; fi"
tests:
test_items:
- flag: "644"
set: true
remediation: "Run the below command (based on the file location on your system) on the master node.
- \nFor example, chmod 644 $apiserverConf"
+ \nFor example, chmod 644 $apiserverconf"
scored: true
- id: 1.4.2
text: "Ensure that the apiserver file ownership is set to root:root (Scored)"
- audit: "if test -e $apiserverConf; then stat -c %U:%G $apiserverConf; fi"
+ audit: "if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi"
tests:
test_items:
- flag: "root:root"
set: true
remediation: "Run the below command (based on the file location on your system) on the master node.
- \nFor example, chown root:root $apiserverConf"
+ \nFor example, chown root:root $apiserverconf"
scored: true
- id: 1.4.3
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
- audit: "if test -e $kubeConfig; then stat -c %a $kubeConfig; fi"
+ audit: "if test -e $config; then stat -c %a $config; fi"
tests:
test_items:
- flag: "644"
set: true
remediation: "Run the below command (based on the file location on your system) on the master node.
- \nFor example, chmod 644 $kubeConfig"
+ \nFor example, chmod 644 $config"
scored: true
- id: 1.4.4
text: "Ensure that the config file ownership is set to root:root (Scored)"
- audit: "if test -e $kubeConfig; then stat -c %U:%G $kubeConfig; fi"
+ audit: "if test -e $config; then stat -c %U:%G $config; fi"
tests:
test_items:
- flag: "root:root"
set: true
remediation: "Run the below command (based on the file location on your system) on the master node.
- \nFor example, chown root:root $kubeConfig"
+ \nFor example, chown root:root $config"
scored: true
- id: 1.4.5
text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)"
- audit: "if test -e $schedulerConf; then stat -c %a $schedulerConf; fi"
+ audit: "if test -e $schedulerconf; then stat -c %a $schedulerconf; fi"
tests:
test_items:
- flag: "644"
set: true
remediation: "Run the below command (based on the file location on your system) on the master node.
- \nFor example, chmod 644 $schedulerConf"
+ \nFor example, chmod 644 $schedulerconf"
scored: true
- id: 1.4.6
text: "Ensure that the scheduler file ownership is set to root:root (Scored)"
- audit: "if test -e $schedulerConf; then stat -c %U:%G $schedulerConf; fi"
+ audit: "if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi"
tests:
test_items:
- flag: "root:root"
set: true
remediation: "Run the below command (based on the file location on your system) on the master node.
- \nFor example, chown root:root $schedulerConf"
+ \nFor example, chown root:root $schedulerconf"
scored: true
- id: 1.4.7
text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)"
- audit: "if test -e $$etcdConf; then stat -c %a $$etcdConf; fi"
+ audit: "if test -e $etcdconf; then stat -c %a $etcdconf; fi"
tests:
test_items:
- flag: "644"
set: true
remediation: "Run the below command (based on the file location on your system) on the master node.
- \nFor example, chmod 644 $$etcdConf"
+ \nFor example, chmod 644 $etcdconf"
scored: true
- id: 1.4.8
text: "Ensure that the etcd.conf file ownership is set to root:root (Scored)"
- audit: "if test -e $$etcdConf; then stat -c %U:%G $$etcdConf; fi"
+ audit: "if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi"
tests:
test_items:
- flag: "root:root"
set: true
remediation: "Run the below command (based on the file location on your system) on the master node.
- \nFor example, chown root:root $$etcdConf"
+ \nFor example, chown root:root $etcdconf"
scored: true
- id: 1.4.9
text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)"
- audit: "if test -e $$flanneldConf; then stat -c %a $$flanneldConf; fi"
+ audit: "if test -e $flanneldconf; then stat -c %a $flanneldconf; fi"
tests:
test_items:
- flag: "644"
set: true
remediation: "Run the below command (based on the file location on your system) on the master node.
- \nFor example, chmod 644 $$flanneldConf"
+ \nFor example, chmod 644 $flanneldconf"
scored: true
- id: 1.4.10
text: "Ensure that the flanneld file ownership is set to root:root (Scored)"
- audit: "if test -e $$flanneldConf; then stat -c %U:%G $$flanneldConf; fi"
+ audit: "if test -e $flanneldconf; then stat -c %U:%G $flanneldconf; fi"
tests:
test_items:
- flag: "root:root"
set: true
remediation: "Run the below command (based on the file location on your system) on the master node.
- \nFor example, chown root:root $$flanneldConf"
+ \nFor example, chown root:root $flanneldconf"
scored: true
- id: 1.4.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
- audit: "ps -ef | grep $etcd | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %a"
+ audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %a"
tests:
test_items:
- flag: "700"
set: true
remediation: "On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
from the below command:\n
- ps -ef | grep $etcd\n
+ ps -ef | grep $etcdbin\n
Run the below command (based on the etcd data directory found above). For example,\n
chmod 700 /var/lib/etcd/default.etcd"
scored: true
@@ -661,7 +661,7 @@ groups:
checks:
- id: 1.5.1
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)"
- audit: "ps -ef | grep $etcd | grep -v grep"
+ audit: "ps -ef | grep $etcdbin | grep -v grep"
tests:
test_items:
- flag: "--cert-file"
@@ -673,7 +673,7 @@ groups:
- id: 1.5.2
text: "Ensure that the --client-cert-auth argument is set to true (Scored)"
- audit: "ps -ef | grep $etcd | grep -v grep"
+ audit: "ps -ef | grep $etcdbin | grep -v grep"
tests:
test_items:
- flag: "--client-cert-auth"
@@ -681,7 +681,7 @@ groups:
op: eq
value: true
set: true
- remediation: "Edit the etcd envrironment file (for example, $$etcdConf) on the
+ remediation: "Edit the etcd envrironment file (for example, $etcdconf) on the
etcd server node and set the ETCD_CLIENT_CERT_AUTH parameter to \"true\".
Edit the etcd startup file (for example, /etc/systemd/system/multiuser.target.wants/etcd.service)
and configure the startup parameter for --clientcert-auth and set it to \"${ETCD_CLIENT_CERT_AUTH}\""
@@ -689,7 +689,7 @@ groups:
- id: 1.5.3
text: "Ensure that the --auto-tls argument is not set to true (Scored)"
- audit: "ps -ef | grep $etcd | grep -v grep"
+ audit: "ps -ef | grep $etcdbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -699,7 +699,7 @@ groups:
compare:
op: neq
value: true
- remediation: "Edit the etcd environment file (for example, $$etcdConf) on the etcd server
+ remediation: "Edit the etcd environment file (for example, $etcdconf) on the etcd server
node and comment out the ETCD_AUTO_TLS parameter. Edit the etcd startup file (for example,
/etc/systemd/system/multiuser.target.wants/etcd.service) and remove the startup parameter
for --auto-tls."
@@ -707,7 +707,7 @@ groups:
- id: 1.5.4
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)"
- audit: "ps -ef | grep $etcd | grep -v grep"
+ audit: "ps -ef | grep $etcdbin | grep -v grep"
tests:
test_items:
- flag: "--peer-cert-file"
@@ -722,7 +722,7 @@ groups:
- id: 1.5.5
text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)"
- audit: "ps -ef | grep $etcd | grep -v grep"
+ audit: "ps -ef | grep $etcdbin | grep -v grep"
tests:
test_items:
- flag: "--peer-client-cert-auth"
@@ -732,7 +732,7 @@ groups:
set: true
remediation: "Note: This recommendation is applicable only for etcd clusters. If you are using only
one etcd server in your environment then this recommendation is not applicable.
- Edit the etcd environment file (for example, $$etcdConf) on the etcd server node
+ Edit the etcd environment file (for example, $etcdconf) on the etcd server node
and set the ETCD_PEER_CLIENT_CERT_AUTH parameter to \"true\". Edit the etcd startup file
(for example, /etc/systemd/system/multiuser.target.wants/etcd.service) and configure the
startup parameter for --peer-client-cert-auth and set it to \"${ETCD_PEER_CLIENT_CERT_AUTH}\""
@@ -740,7 +740,7 @@ groups:
- id: 1.5.6
text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)"
- audit: "ps -ef | grep $etcd | grep -v grep"
+ audit: "ps -ef | grep $etcdbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -753,7 +753,7 @@ groups:
set: true
remediation: "Note: This recommendation is applicable only for etcd clusters.
If you are using only one etcd server in your environment then this recommendation is
- not applicable. Edit the etcd environment file (for example, $$etcdConf)
+ not applicable. Edit the etcd environment file (for example, $etcdconf)
on the etcd server node and comment out the ETCD_PEER_AUTO_TLS parameter.
Edit the etcd startup file (for example, /etc/systemd/system/multiuser.target.wants/etcd.service)
and remove the startup parameter for --peer-auto-tls."
@@ -761,12 +761,12 @@ groups:
- id: 1.5.7
text: "Ensure that the --wal-dir argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $etcd | grep -v grep"
+ audit: "ps -ef | grep $etcdbin | grep -v grep"
tests:
test_items:
- flag: "--wal-dir"
set: true
- remediation: "Edit the etcd environment file (for example, $$etcdConf) on the etcd server node
+ remediation: "Edit the etcd environment file (for example, $etcdconf) on the etcd server node
and set the ETCD_WAL_DIR parameter as appropriate. Edit the etcd startup file (for example,
/etc/systemd/system/multiuser.target.wants/etcd.service) and configure the startup parameter for
--wal-dir and set it to \"${ETCD_WAL_DIR}\""
@@ -774,7 +774,7 @@ groups:
- id: 1.5.8
text: "Ensure that the --max-wals argument is set to 0 (Scored)"
- audit: "ps -ef | grep $etcd | grep -v grep"
+ audit: "ps -ef | grep $etcdbin | grep -v grep"
tests:
test_items:
- flag: "--max-wals"
@@ -782,7 +782,7 @@ groups:
op: eq
value: 0
set: true
- remediation: "Edit the etcd environment file (for example, $$etcdConf) on the etcd server node
+ remediation: "Edit the etcd environment file (for example, $etcdconf) on the etcd server node
and set the ETCD_MAX_WALS parameter to 0. Edit the etcd startup file (for example,
/etc/systemd/system/multiuser.target.wants/etcd.service) and configure the startup parameter
for --max-wals and set it to \"${ETCD_MAX_WALS}\"."
@@ -790,7 +790,7 @@ groups:
- id: 1.5.9
text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)"
- audit: "ps -ef | grep $etcd | grep -v grep"
+ audit: "ps -ef | grep $etcdbin | grep -v grep"
tests:
test_items:
- flag: "--trusted-ca-file"
diff --git a/cfg/node.yaml b/cfg/node.yaml
index 8a87fde035cf5f20f29f156b584e4974e38e3e7c..9ecb15b5c2fbd50bb8b433bfc5490511eb0fb88c 100644
--- a/cfg/node.yaml
+++ b/cfg/node.yaml
@@ -9,7 +9,7 @@ groups:
checks:
- id: 2.1.1
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
- audit: "ps -ef | grep $kubeletBin | grep -v grep"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests:
test_items:
- flag: "--allow-privileged"
@@ -17,13 +17,13 @@ groups:
op: eq
value: false
set: true
- remediation: "Edit the $kubeConfig file on each node and set the KUBE_ALLOW_PRIV
+ remediation: "Edit the $config file on each node and set the KUBE_ALLOW_PRIV
parameter to \"--allow-privileged=false\""
scored: true
- id: 2.1.2
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
- audit: "ps -ef | grep $kubeletBin | grep -v grep"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests:
test_items:
- flag: "--anonymous-auth"
@@ -31,13 +31,13 @@ groups:
op: eq
value: false
set: true
- remediation: "Edit the $kubeletConf file on the master node and set the
+ remediation: "Edit the $kubeletconf file on the master node and set the
KUBELET_ARGS parameter to \"--anonymous-auth=false\""
scored: true
- id: 2.1.3
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
- audit: "ps -ef | grep $kubeletBin | grep -v grep"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests:
test_items:
- flag: "--authorization-mode"
@@ -45,25 +45,25 @@ groups:
op: nothave
value: "AlwaysAllow"
set: true
- remediation: "Edit the $kubeletConf file on each node and set the
+ remediation: "Edit the $kubeletconf file on each node and set the
KUBELET_ARGS parameter to \"--authorization-mode=Webhook\""
scored: true
- id: 2.1.4
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $kubeletBin | grep -v grep"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests:
test_items:
- flag: "--client-ca-file"
set: true
remediation: "Follow the Kubernetes documentation and setup the TLS connection between
- the apiserver and kubelets. Then, edit the $kubeletConf file on each node
+ the apiserver and kubelets. Then, edit the $kubeletconf file on each node
and set the KUBELET_ARGS parameter to \"--client-ca-file=<path/to/client-ca-file>\""
scored: true
- id: 2.1.5
text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
- audit: "ps -ef | grep $kubeletBin | grep -v grep"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests:
test_items:
- flag: "--read-only-port"
@@ -71,13 +71,13 @@ groups:
op: eq
value: 0
set: true
- remediation: "Edit the $kubeletConf file on each node and set the KUBELET_ARGS
+ remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
parameter to \"--read-only-port=0\""
scored: true
- id: 2.1.6
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
- audit: "ps -ef | grep $kubeletBin | grep -v grep"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests:
test_items:
- flag: "--streaming-connection-idle-timeout"
@@ -85,13 +85,13 @@ groups:
op: gt
value: 0
set: true
- remediation: "Edit the $kubeletConf file on each node and set the KUBELET_ARGS
+ remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
parameter to \"--streaming-connection-idle-timeout=<appropriate-timeout-value>\""
scored: true
- id: 2.1.7
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
- audit: "ps -ef | grep $kubeletBin | grep -v grep"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests:
test_items:
- flag: "--protect-kernel-defaults"
@@ -99,13 +99,13 @@ groups:
op: eq
value: true
set: true
- remediation: "Edit the $kubeletConf file on each node and set the KUBELET_ARGS
+ remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
parameter to \"--protect-kernel-defaults=true\""
scored: true
- id: 2.1.8
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
- audit: "ps -ef | grep $kubeletBin | grep -v grep"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests:
bin_op: or
test_items:
@@ -116,13 +116,13 @@ groups:
set: true
- flag: "--make-iptables-util-chains"
set: false
- remediation: "Edit the $kubeletConf file on each node and remove the
+ remediation: "Edit the $kubeletconf file on each node and remove the
--make-iptables-util-chains argument from the KUBELET_ARGS parameter."
scored: true
- id: 2.1.9
text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)"
- audit: "ps -ef | grep $kubeletBin | grep -v grep"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests:
test_items:
- flag: "--keep-terminated-pod-volumes"
@@ -130,24 +130,24 @@ groups:
op: eq
value: false
set: true
- remediation: "Edit the $kubeletConf file on each node and set the KUBELET_ARGS
+ remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
parameter to \"--keep-terminated-pod-volumes=false\""
scored: true
- id: 2.1.10
text: "Ensure that the --hostname-override argument is not set (Scored)"
- audit: "ps -ef | grep $kubeletBin | grep -v grep"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests:
test_items:
- flag: "--hostname-override"
set: false
- remediation: "Edit the $kubeletConf file on each node and set the KUBELET_HOSTNAME
+ remediation: "Edit the $kubeletconf file on each node and set the KUBELET_HOSTNAME
parameter to \"\""
scored: true
- id: 2.1.11
text: "Ensure that the --event-qps argument is set to 0 (Scored)"
- audit: "ps -ef | grep $kubeletBin | grep -v grep"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests:
test_items:
- flag: "--event-qps"
@@ -155,13 +155,13 @@ groups:
op: eq
value: 0
set: true
- remediation: "Edit the $kubeletConf file on each node and set the KUBELET_ARGS
+ remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
parameter to \"--event-qps=0\""
scored: true
- id: 2.1.12
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
- audit: "ps -ef | grep $kubeletBin | grep -v grep"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests:
test_items:
- flag: "--tls-cert-file"
@@ -169,14 +169,14 @@ groups:
- flag: "--tls-private-key-file"
set: true
remediation: "Follow the Kubernetes documentation and set up the TLS connection on the Kubelet.
- Then, edit the $kubeletConf file on the master node and set the KUBELET_ARGS
+ Then, edit the $kubeletconf file on the master node and set the KUBELET_ARGS
parameter to include \"--tls-cert-file=<path/to/tls-certificate-file>\" and
\"--tls-private-key-file=<path/to/tls-key-file>\""
scored: true
- id: 2.1.13
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
- audit: "ps -ef | grep $kubeletBin | grep -v grep"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests:
test_items:
- flag: "--cadvisor-port"
@@ -184,7 +184,7 @@ groups:
op: eq
value: 0
set: true
- remediation: "Edit the $kubeletConf file on each node and set the KUBELET_ARGS parameter
+ remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter
to \"--cadvisor-port=0\""
scored: true
@@ -193,66 +193,66 @@ groups:
checks:
- id: 2.2.1
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
- audit: "if test -e $kubeConfig; then stat -c %a $kubeConfig; fi"
+ audit: "if test -e $config; then stat -c %a $config; fi"
tests:
test_items:
- flag: "644"
set: true
remediation: "Run the below command (based on the file location on your system) on the each worker node.
- \nFor example, chmod 644 $kubeConfig"
+ \nFor example, chmod 644 $config"
scored: true
- id: 2.2.2
text: "Ensure that the config file ownership is set to root:root (Scored)"
- audit: "if test -e $kubeConfig; then stat -c %U:%G $kubeConfig; fi"
+ audit: "if test -e $config; then stat -c %U:%G $config; fi"
tests:
test_items:
- flag: "root:root"
set: true
remediation: "Run the below command (based on the file location on your system) on the each worker node.
- \nFor example, chown root:root $kubeConfig"
+ \nFor example, chown root:root $config"
scored: true
- id: 2.2.3
text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)"
- audit: "if test -e $kubeletConf; then stat -c %a $kubeletConf; fi"
+ audit: "if test -e $kubeletconf; then stat -c %a $kubeletconf; fi"
tests:
test_items:
- flag: "644"
set: true
remediation: "Run the below command (based on the file location on your system) on the each worker node.
- \nFor example, chmod 644 $kubeletConf"
+ \nFor example, chmod 644 $kubeletconf"
scored: true
- id: 2.2.4
text: "Ensure that the kubelet file ownership is set to root:root (Scored)"
- audit: "if test -e $kubeletConf; then stat -c %U:%G $kubeletConf; fi"
+ audit: "if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi"
tests:
test_items:
- flag: "root:root"
set: true
remediation: "Run the below command (based on the file location on your system) on the each worker node.
- \nFor example, chown root:root $kubeletConf"
+ \nFor example, chown root:root $kubeletconf"
scored: true
- id: 2.2.5
text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)"
- audit: "if test -e $kubeProxyConf; then stat -c %a $kubeProxyConf; fi"
+ audit: "if test -e $proxyconf; then stat -c %a $proxyconf; fi"
tests:
test_items:
- flag: "644"
set: true
remediation: "Run the below command (based on the file location on your system) on the each worker node.
- \nFor example, chmod 644 $kubeProxyConf"
+ \nFor example, chmod 644 $proxyconf"
scored: true
- id: 2.2.6
text: "Ensure that the proxy file ownership is set to root:root (Scored)"
- audit: "if test -e $kubeProxyConf; then stat -c %U:%G $kubeProxyConf; fi"
+ audit: "if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi"
tests:
test_items:
- flag: "root:root"
set: true
remediation: "Run the below command (based on the file location on your system) on the each worker node.
- \nFor example, chown root:root $kubeProxyConf"
+ \nFor example, chown root:root $proxyconf"
scored: true
diff --git a/cmd/common.go b/cmd/common.go
index 4fc9fc74af5691284216124059ce9aa09c70187c..c002945253f6c871d8de6765f67be8d77ecd1ab9 100644
--- a/cmd/common.go
+++ b/cmd/common.go
@@ -18,162 +18,64 @@ import (
"fmt"
"io/ioutil"
"os"
- "os/exec"
"strings"
"github.com/aquasecurity/kube-bench/check"
- "github.com/fatih/color"
"github.com/spf13/viper"
)
var (
- errmsgs string
- kubeMasterBin map[string]string
- kubeMasterConf map[string]string
-
- kubeNodeBin map[string]string
- kubeNodeConf map[string]string
- kubeFederatedBin map[string]string
+ apiserverBin string
+ apiserverConf string
+ schedulerBin string
+ schedulerConf string
+ controllerManagerBin string
+ controllerManagerConf string
+ config string
+ etcdBin string
+ etcdConf string
+ flanneldBin string
+ flanneldConf string
+ kubeletBin string
+ kubeletConf string
+ proxyBin string
+ proxyConf string
+ fedApiserverBin string
+ fedControllerManagerBin string
+
+ errmsgs string
// TODO: Consider specifying this in config file.
kubeVersion = "1.6"
-
- // Used for variable substitution
- symbols = map[string]string{}
-
- // Print colors
- colors = map[check.State]*color.Color{
- check.PASS: color.New(color.FgGreen),
- check.FAIL: color.New(color.FgRed),
- check.WARN: color.New(color.FgYellow),
- check.INFO: color.New(color.FgBlue),
- }
)
-func handleError(err error, context string) (errmsg string) {
- if err != nil {
- errmsg = fmt.Sprintf("%s, error: %s\n", context, err)
- }
- return
-}
-
func runChecks(t check.NodeType) {
var summary check.Summary
var file string
- // Set up binary and configuration.
- switch installation {
- default:
- fallthrough
- case "kops":
- // Master
- kubeMasterBin = map[string]string{
- "apiserver": "apiserver",
- "scheduler": "scheduler",
- "controller-manager": "controller-manager",
- "etcd": "etcd",
- "flanneld": "flanneld",
- }
-
- kubeMasterConf = map[string]string{
- "apiserver": "/etc/kubernetes/apiserver",
- "scheduler": "/etc/kubernetes/scheduler",
- "controller-manager": "/etc/kubernetes/controller-manager",
- "config": "/etc/kubernetes/config",
- "etcd": "/etc/etcd/etcd.conf",
- "flanneld": "/etc/sysconfig/flanneld",
- }
-
- // Node
- kubeNodeBin = map[string]string{
- "kubelet": "kubelet",
- "proxy": "proxy",
- }
-
- kubeNodeConf = map[string]string{
- "kubelet": "/etc/kubernetes/kubelet",
- "proxy": "/etc/kubernetes/proxy",
- }
+ // Master variables
+ apiserverBin = viper.GetString("installation." + installation + ".master.bin.apiserver")
+ apiserverConf = viper.GetString("installation." + installation + ".master.conf.apiserver")
+ schedulerBin = viper.GetString("installation." + installation + ".master.bin.scheduler")
+ schedulerConf = viper.GetString("installation." + installation + ".master.conf.scheduler")
+ controllerManagerBin = viper.GetString("installation." + installation + ".master.bin.controller-manager")
+ controllerManagerConf = viper.GetString("installation." + installation + ".master.conf.controler-manager")
+ config = viper.GetString("installation." + installation + ".config")
+
+ etcdBin = viper.GetString("etcd.bin")
+ etcdConf = viper.GetString("etcd.conf")
+ flanneldBin = viper.GetString("flanneld.bin")
+ flanneldConf = viper.GetString("flanneld.conf")
+
+ // Node variables
+ kubeletBin = viper.GetString("installation." + installation + ".node.bin.kubelet")
+ kubeletConf = viper.GetString("installation." + installation + ".node.conf.kubelet")
+ proxyBin = viper.GetString("installation." + installation + ".node.bin.proxy")
+ proxyConf = viper.GetString("installation." + installation + ".node.conf.proxy")
- // Federated
- kubeFederatedBin = map[string]string{
- "apiserver": "federation-apiserver",
- "controller-manager": "federation-controller-manager",
- }
-
- case "hyperkube":
- // Master
- kubeMasterBin = map[string]string{
- "apiserver": "hyperkube apiserver",
- "scheduler": "hyperkube scheduler",
- "controller-manager": "hyperkube controller-manager",
- "etcd": "etcd",
- "flanneld": "flanneld",
- }
-
- kubeMasterConf = map[string]string{
- "apiserver": "/etc/kubernetes/apiserver",
- "scheduler": "/etc/kubernetes/scheduler",
- "controller-manager": "/etc/kubernetes/controller-manager",
- "config": "/etc/kubernetes/config",
- "etcd": "/etc/etcd/etcd.conf",
- "flanneld": "/etc/sysconfig/flanneld",
- }
-
- // Node
- kubeNodeBin = map[string]string{
- "kubelet": "hyperkube kubelet",
- "proxy": "hyperkube kube-proxy",
- }
-
- kubeNodeConf = map[string]string{
- "kubelet": "/etc/kubernetes/kubelet",
- "proxy": "/etc/kubernetes/proxy",
- }
-
- // Federated
- kubeFederatedBin = map[string]string{
- "apiserver": "federation-apiserver",
- "controller-manager": "federation-controller-manager",
- }
- case "kubeadm":
- // TODO: Complete config and binary file list for kubeadm.
-
- // Master
- kubeMasterBin = map[string]string{
- "apiserver": "hyperkube",
- "scheduler": "hyperkube",
- "controller-manager": "hyperkube",
- "etcd": "etcd",
- "flanneld": "flanneld",
- }
-
- kubeMasterConf = map[string]string{
- "apiserver": "/etc/kubernetes/admin.conf",
- "scheduler": "/etc/kubernetes/scheduler.conf",
- "controller-manager": "/etc/kubernetes/controller-manager.conf",
- "config": "/etc/kubernetes/config",
- "etcd": "/etc/etcd/etcd.conf",
- "flanneld": "/etc/sysconfig/flanneld",
- }
-
- // Node
- kubeNodeBin = map[string]string{
- "kubelet": "hyperkube",
- "proxy": "hyperkube",
- }
-
- kubeNodeConf = map[string]string{
- "kubelet": "/etc/kubernetes/kubelet.conf",
- "proxy": "/etc/kubernetes/proxy.conf",
- }
-
- // Federated
- kubeFederatedBin = map[string]string{
- "apiserver": "federation-apiserver",
- "controller-manager": "federation-controller-manager",
- }
- }
+ // Federated
+ fedApiserverBin = viper.GetString("installation." + installation + ".federated.bin.apiserver")
+ fedControllerManagerBin = viper.GetString("installation." + installation + ".federated.bin.controller-manager")
// Run kubernetes installation validation checks.
warns := verifyNodeType(t)
@@ -193,32 +95,28 @@ func runChecks(t check.NodeType) {
os.Exit(1)
}
- // Variable substitutions. Replace all occurrences of variables in controls file.
- // Master
- s := strings.Replace(string(in), "$kubeApiserver", kubeMasterBin["apiserver"], -1)
- s = strings.Replace(s, "$apiserverConf", kubeMasterConf["apiserver"], -1)
-
- s = strings.Replace(s, "$kubeScheduler", kubeMasterBin["scheduler"], -1)
- s = strings.Replace(s, "$schedulerConf", kubeMasterConf["scheduler"], -1)
-
- s = strings.Replace(s, "$kubeControllerManager", kubeMasterBin["controller-manager"], -1)
- s = strings.Replace(s, "$controllerManagerConf", kubeMasterConf["controller-manager"], -1)
+ // Variable substitutions. Replace all occurrences of variables in controls files.
+ s := strings.Replace(string(in), "$apiserverbin", apiserverBin, -1)
+ s = strings.Replace(s, "$apiserverconf", apiserverConf, -1)
+ s = strings.Replace(s, "$schedulerbin", schedulerBin, -1)
+ s = strings.Replace(s, "$schedulerconf", schedulerConf, -1)
+ s = strings.Replace(s, "$controllermanagerbin", controllerManagerBin, -1)
+ s = strings.Replace(s, "$controllermanagerconf", controllerManagerConf, -1)
+ s = strings.Replace(s, "$controllermanagerconf", controllerManagerConf, -1)
+ s = strings.Replace(s, "$config", config, -1)
- s = strings.Replace(s, "$etcd", kubeMasterBin["etcd"], -1)
- s = strings.Replace(s, "$flanneld", kubeMasterBin["flanneld"], -1)
+ s = strings.Replace(s, "$etcdbin", etcdBin, -1)
+ s = strings.Replace(s, "$etcdconf", etcdConf, -1)
+ s = strings.Replace(s, "$flanneldbin", flanneldBin, -1)
+ s = strings.Replace(s, "$flanneldconf", flanneldConf, -1)
- s = strings.Replace(s, "$kubeConfig", kubeMasterConf["config"], -1)
- s = strings.Replace(s, "$etcdConf", kubeMasterConf["etcd"], -1)
- s = strings.Replace(s, "$flanneldConf", kubeMasterConf["flanneld"], -1)
+ s = strings.Replace(s, "$kubeletbin", kubeletBin, -1)
+ s = strings.Replace(s, "$kubeletconf", kubeletConf, -1)
+ s = strings.Replace(s, "$proxybin", proxyBin, -1)
+ s = strings.Replace(s, "$proxyconf", proxyConf, -1)
- // Node
- s = strings.Replace(s, "$kubeletBin", kubeNodeBin["kubelet"], -1)
- s = strings.Replace(s, "$kubeletConf", kubeNodeConf["kubelet"], -1)
- s = strings.Replace(s, "$kubeProxyConf", kubeNodeConf["proxy"], -1)
-
- // Federated
- s = strings.Replace(s, "$federationApiserver", kubeFederatedBin["apiserver"], -1)
- s = strings.Replace(s, "$federationControllerManager", kubeFederatedBin["controller-manager"], -1)
+ s = strings.Replace(s, "$fedapiserverbin", fedApiserverBin, -1)
+ s = strings.Replace(s, "$fedcontrollermanagerbin", fedControllerManagerBin, -1)
controls, err := check.NewControls(t, []byte(s))
if err != nil {
@@ -253,20 +151,8 @@ func runChecks(t check.NodeType) {
}
}
-func cleanIDs(list string) []string {
- list = strings.Trim(list, ",")
- ids := strings.Split(list, ",")
-
- for _, id := range ids {
- id = strings.Trim(id, " ")
- }
-
- return ids
-}
-
// verifyNodeType checks the executables and config files are as expected
// for the specified tests (master, node or federated).
-// Any check failing here is a show stopper.
func verifyNodeType(t check.NodeType) []string {
var w []string
// Always clear out error messages.
@@ -274,18 +160,16 @@ func verifyNodeType(t check.NodeType) []string {
switch t {
case check.MASTER:
- w = append(w, verifyBin(values(kubeMasterBin))...)
- w = append(w, verifyConf(values(kubeMasterConf))...)
- w = append(w, verifyKubeVersion(kubeMasterBin["apiserver"])...)
+ w = append(w, verifyBin(apiserverBin, schedulerBin, controllerManagerBin)...)
+ w = append(w, verifyConf(apiserverConf, schedulerConf, controllerManagerConf)...)
+ w = append(w, verifyKubeVersion(apiserverBin)...)
case check.NODE:
- w = append(w, verifyBin(values(kubeNodeBin))...)
- w = append(w, verifyConf(values(kubeNodeConf))...)
- w = append(w, verifyKubeVersion(kubeNodeBin["kubelet"])...)
- /*
- case check.FEDERATED:
- w = append(w, verifyBin(kubeFederatedBin)...)
- w = append(w, verifyKubeVersion(kubeFederatedBin[0])...)
- */
+ w = append(w, verifyBin(kubeletBin, proxyBin)...)
+ w = append(w, verifyConf(kubeletConf, proxyConf)...)
+ w = append(w, verifyKubeVersion(kubeletBin)...)
+ case check.FEDERATED:
+ w = append(w, verifyBin(fedApiserverBin, fedControllerManagerBin)...)
+ w = append(w, verifyKubeVersion(fedApiserverBin)...)
}
if verbose {
@@ -347,73 +231,3 @@ func prettyPrint(warnings []string, r *check.Controls, summary check.Summary) {
summary.Pass, summary.Fail, summary.Warn,
)
}
-
-func verifyConf(confPath []string) []string {
- var w []string
- for _, c := range confPath {
- if _, err := os.Stat(c); err != nil && os.IsNotExist(err) {
- w = append(w, fmt.Sprintf("config file %s does not exist\n", c))
- }
- }
-
- return w
-}
-
-func verifyBin(binPath []string) []string {
- var w []string
- var binList string
-
- // Construct proc name for ps(1)
- for _, b := range binPath {
- binList += b + ","
- }
- binList = strings.Trim(binList, ",")
-
- // Run ps command
- cmd := exec.Command("ps", "-C", binList, "-o", "cmd", "--no-headers")
- out, err := cmd.Output()
- errmsgs += handleError(
- err,
- fmt.Sprintf("verifyBin: %s failed", binList),
- )
-
- // Actual verification
- for _, b := range binPath {
- matched := strings.Contains(string(out), b)
-
- if !matched {
- w = append(w, fmt.Sprintf("%s is not running\n", b))
- }
- }
-
- return w
-}
-
-func verifyKubeVersion(b string) []string {
- // These executables might not be on the user's path.
- // TODO! Check the version number using kubectl, which is more likely to be on the path.
- var w []string
-
- // Check version
- cmd := exec.Command(b, "--version")
- out, err := cmd.Output()
- errmsgs += handleError(
- err,
- fmt.Sprintf("verifyKubeVersion: failed\nCommand:%s", cmd.Args),
- )
-
- matched := strings.Contains(string(out), kubeVersion)
- if !matched {
- w = append(w, fmt.Sprintf("%s unsupported version\n", b))
- }
-
- return w
-}
-
-// values returns the values in a string map.
-func values(m map[string]string) (vals []string) {
- for _, v := range m {
- vals = append(vals, v)
- }
- return
-}
diff --git a/cmd/root.go b/cmd/root.go
index dd4270099472b92fdae3356ea314f8c5250deb2f..055e0c79703f2780e0fa0b7284fcc9791a243288 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -99,17 +99,11 @@ func initConfig() {
viper.AutomaticEnv() // read in environment variables that match
// Set defaults
- viper.SetDefault("kubeConfDir", "/etc/kubernetes")
- viper.SetDefault("etcdConfDir", "/etc/etcd")
- viper.SetDefault("flanneldConfDir", "/etc/sysconfig")
-
- viper.SetDefault("masterFile", cfgDir+"/master.yaml")
- viper.SetDefault("nodeFile", cfgDir+"/node.yaml")
- viper.SetDefault("federatedFile", cfgDir+"/federated.yaml")
// If a config file is found, read it in.
if err := viper.ReadInConfig(); err != nil {
colorPrint(check.FAIL, fmt.Sprintf("Failed to read config file: %v\n", err))
os.Exit(1)
}
+
}
diff --git a/cmd/util.go b/cmd/util.go
new file mode 100644
index 0000000000000000000000000000000000000000..5a01e0dc7b35149951da39dd88783ca7550a27fa
--- /dev/null
+++ b/cmd/util.go
@@ -0,0 +1,101 @@
+package cmd
+
+import (
+ "fmt"
+ "os"
+ "os/exec"
+ "strings"
+
+ "github.com/aquasecurity/kube-bench/check"
+ "github.com/fatih/color"
+)
+
+var (
+ // Print colors
+ colors = map[check.State]*color.Color{
+ check.PASS: color.New(color.FgGreen),
+ check.FAIL: color.New(color.FgRed),
+ check.WARN: color.New(color.FgYellow),
+ check.INFO: color.New(color.FgBlue),
+ }
+)
+
+func handleError(err error, context string) (errmsg string) {
+ if err != nil {
+ errmsg = fmt.Sprintf("%s, error: %s\n", context, err)
+ }
+ return
+}
+
+func cleanIDs(list string) []string {
+ list = strings.Trim(list, ",")
+ ids := strings.Split(list, ",")
+
+ for _, id := range ids {
+ id = strings.Trim(id, " ")
+ }
+
+ return ids
+}
+
+func verifyConf(confPath ...string) []string {
+ var w []string
+ for _, c := range confPath {
+ if _, err := os.Stat(c); err != nil && os.IsNotExist(err) {
+ w = append(w, fmt.Sprintf("config file %s does not exist\n", c))
+ }
+ }
+
+ return w
+}
+
+func verifyBin(binPath ...string) []string {
+ var w []string
+ var binList string
+
+ // Construct proc name for ps(1)
+ for _, b := range binPath {
+ binList += b + ","
+ }
+ binList = strings.Trim(binList, ",")
+
+ // Run ps command
+ cmd := exec.Command("ps", "-C", binList, "-o", "cmd", "--no-headers")
+ out, err := cmd.Output()
+ errmsgs += handleError(
+ err,
+ fmt.Sprintf("verifyBin: %s failed", binList),
+ )
+
+ // Actual verification
+ for _, b := range binPath {
+ matched := strings.Contains(string(out), b)
+
+ if !matched {
+ w = append(w, fmt.Sprintf("%s is not running\n", b))
+ }
+ }
+
+ return w
+}
+
+func verifyKubeVersion(b string) []string {
+ // These executables might not be on the user's path.
+ // TODO! Check the version number using kubectl, which is more likely to be on the path.
+ var w []string
+
+ // Check version
+ cmd := exec.Command(b, "--version")
+ out, err := cmd.Output()
+ errmsgs += handleError(
+ err,
+ fmt.Sprintf("verifyKubeVersion: failed\nCommand:%s", cmd.Args),
+ )
+
+ matched := strings.Contains(string(out), kubeVersion)
+ if !matched {
+ w = append(w, fmt.Sprintf("%s unsupported version\n", b))
+ }
+
+ return w
+}