From 96c469669c23df1bfdbe2d47aab7c0acb485fff6 Mon Sep 17 00:00:00 2001
From: Liz Rice <liz@lizrice.com>
Date: Fri, 11 Aug 2017 17:59:57 +0100
Subject: [PATCH] Use kubectl to check the kubernetes version
---
cmd/common.go | 7 ++---
cmd/util.go | 53 ++++++++++++++++++++++++++++-----
cmd/util_test.go | 77 ++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 125 insertions(+), 12 deletions(-)
create mode 100644 cmd/util_test.go
diff --git a/cmd/common.go b/cmd/common.go
index 69bec28..d27dc1f 100644
--- a/cmd/common.go
+++ b/cmd/common.go
@@ -45,7 +45,8 @@ var (
errmsgs string
// TODO: Consider specifying this in config file.
- kubeVersion = "1.7.0"
+ kubeMajorVersion = "1"
+ kubeMinorVersion = "7"
)
func runChecks(t check.NodeType) {
@@ -77,6 +78,7 @@ func runChecks(t check.NodeType) {
fedControllerManagerBin = viper.GetString("installation." + installation + ".federated.bin.controller-manager")
// Run kubernetes installation validation checks.
+ verifyKubeVersion(kubeMajorVersion, kubeMinorVersion)
verifyNodeType(t)
switch t {
@@ -150,15 +152,12 @@ func runChecks(t check.NodeType) {
func verifyNodeType(t check.NodeType) {
switch t {
case check.MASTER:
- verifyKubeVersion(apiserverBin)
verifyBin(apiserverBin, schedulerBin, controllerManagerBin)
verifyConf(apiserverConf, schedulerConf, controllerManagerConf)
case check.NODE:
- verifyKubeVersion(kubeletBin)
verifyBin(kubeletBin, proxyBin)
verifyConf(kubeletConf, proxyConf)
case check.FEDERATED:
- verifyKubeVersion(fedApiserverBin)
verifyBin(fedApiserverBin, fedControllerManagerBin)
}
}
diff --git a/cmd/util.go b/cmd/util.go
index 1885952..937e3e0 100644
--- a/cmd/util.go
+++ b/cmd/util.go
@@ -4,6 +4,7 @@ import (
"fmt"
"os"
"os/exec"
+ "regexp"
"strings"
"github.com/aquasecurity/kube-bench/check"
@@ -123,25 +124,61 @@ func verifyBin(binPath ...string) {
}
}
-func verifyKubeVersion(b string) {
+func verifyKubeVersion(major string, minor string) {
// These executables might not be on the user's path.
- // TODO! Check the version number using kubectl, which is more likely to be on the path.
- _, err := exec.LookPath(b)
+ _, err := exec.LookPath("kubectl")
if err != nil {
continueWithError(err, sprintlnWarn("Kubernetes version check skipped"))
return
}
- cmd := exec.Command(b, "--version")
+ cmd := exec.Command("kubectl", "version")
out, err := cmd.Output()
if err != nil {
- continueWithError(err, sprintlnWarn("Kubernetes version check skipped"))
+ s := fmt.Sprintf("Kubernetes version check skipped with error %v", err)
+ continueWithError(err, sprintlnWarn(s))
return
}
- matched := strings.Contains(string(out), kubeVersion)
- if !matched {
- printlnWarn(fmt.Sprintf("Unsupported kubernetes version: %s", out))
+ msg := checkVersion("Client", string(out), major, minor)
+ if msg != "" {
+ continueWithError(fmt.Errorf(msg), msg)
+ }
+
+ msg = checkVersion("Server", string(out), major, minor)
+ if msg != "" {
+ continueWithError(fmt.Errorf(msg), msg)
+ }
+}
+
+var regexVersionMajor = regexp.MustCompile("Major:\"([0-9]+)\"")
+var regexVersionMinor = regexp.MustCompile("Minor:\"([0-9]+)\"")
+
+func checkVersion(x string, s string, expMajor string, expMinor string) string {
+ regexVersion, err := regexp.Compile(x + " Version: version.Info{(.*)}")
+ if err != nil {
+ return fmt.Sprintf("Error checking Kubernetes version: %v", err)
+ }
+
+ ss := regexVersion.FindString(s)
+ major := versionMatch(regexVersionMajor, ss)
+ minor := versionMatch(regexVersionMinor, ss)
+ if major == "" || minor == "" {
+ return fmt.Sprintf("Couldn't find %s version from kubectl output '%s'", x, s)
+ }
+
+ if major != expMajor || minor != expMinor {
+ return fmt.Sprintf("Unexpected %s version %s.%s", x, major, minor)
+ }
+
+ return ""
+}
+
+func versionMatch(r *regexp.Regexp, s string) string {
+ match := r.FindStringSubmatch(s)
+ if len(match) < 2 {
+ return ""
}
+ return match[1]
}
diff --git a/cmd/util_test.go b/cmd/util_test.go
new file mode 100644
index 0000000..74d955f
--- /dev/null
+++ b/cmd/util_test.go
@@ -0,0 +1,77 @@
+// Copyright © 2017 Aqua Security Software Ltd. <info@aquasec.com>
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cmd
+
+import (
+ "regexp"
+ "testing"
+)
+
+func TestCheckVersion(t *testing.T) {
+ kubeoutput := `Client Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.0", GitCommit:"d3ada0119e776222f11ec7945e6d860061339aad", GitTreeState:"clean", BuildDate:"2017-06-30T09:51:01Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"darwin/amd64"}
+ Server Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.0", GitCommit:"d3ada0119e776222f11ec7945e6d860061339aad", GitTreeState:"clean", BuildDate:"2017-07-26T00:12:31Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}`
+ cases := []struct {
+ t string
+ s string
+ major string
+ minor string
+ exp string
+ }{
+ {t: "Client", s: kubeoutput, major: "1", minor: "7"},
+ {t: "Server", s: kubeoutput, major: "1", minor: "7"},
+ {t: "Client", s: kubeoutput, major: "1", minor: "6", exp: "Unexpected Client version 1.7"},
+ {t: "Client", s: kubeoutput, major: "2", minor: "0", exp: "Unexpected Client version 1.7"},
+ {t: "Server", s: "something unexpected", major: "2", minor: "0", exp: "Couldn't find Server version from kubectl output 'something unexpected'"},
+ }
+
+ for _, c := range cases {
+ t.Run("", func(t *testing.T) {
+ m := checkVersion(c.t, c.s, c.major, c.minor)
+ if m != c.exp {
+ t.Fatalf("Got: %s, expected: %s", m, c.exp)
+ }
+ })
+ }
+
+}
+
+func TestVersionMatch(t *testing.T) {
+ minor := regexVersionMinor
+ major := regexVersionMajor
+ client := `Client Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.0", GitCommit:"d3ada0119e776222f11ec7945e6d860061339aad", GitTreeState:"clean", BuildDate:"2017-06-30T09:51:01Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"darwin/amd64"}`
+ server := `Server Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.0", GitCommit:"d3ada0119e776222f11ec7945e6d860061339aad", GitTreeState:"clean", BuildDate:"2017-07-26T00:12:31Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}`
+
+ cases := []struct {
+ r *regexp.Regexp
+ s string
+ exp string
+ }{
+ {r: major, s: server, exp: "1"},
+ {r: minor, s: server, exp: "7"},
+ {r: major, s: client, exp: "1"},
+ {r: minor, s: client, exp: "7"},
+ {r: major, s: "Some unexpected string"},
+ {r: minor}, // Checking that we don't fall over if the string is empty
+ }
+
+ for _, c := range cases {
+ t.Run("", func(t *testing.T) {
+ m := versionMatch(c.r, c.s)
+ if m != c.exp {
+ t.Fatalf("Got %s expected %s", m, c.exp)
+ }
+ })
+ }
+}
--
GitLab