Skip to content

Commit

Permalink
feat/add command eval pkg (#8)
Browse files Browse the repository at this point in the history 
* feat: add eval cmd implementation

* feat: add eval cmd implementation

* feat: update git ignore

* feat: update git ignore

* feat: remoove mocks folder

* refactor: remove unused code

* test: update test param

* style: ifx lint issues

* fix: update spec with cmd eval param

* fix: update gke spec with cmd eval param
  • Loading branch information
@chen-keinan
chen-keinan authored Aug 26, 2021
1 parent b864a94 commit 9313215
Show file tree
Hide file tree
Showing 40 changed files with 975 additions and 1,198 deletions.
2 changes: 2 additions & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,4 +21,6 @@ cf
cf2
tf
tfr
*/mocks*
*mocks*
kube-beacon
14 changes: 11 additions & 3 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,24 +5,32 @@ go 1.14
require (
github.com/Knetic/govaluate v3.0.0+incompatible
github.com/cheggaaa/pb v1.0.29
github.com/chen-keinan/go-command-eval v0.0.2
github.com/gobuffalo/envy v1.9.0 // indirect
github.com/gobuffalo/logger v1.0.4 // indirect
github.com/gobuffalo/packd v1.0.0 // indirect
github.com/gobuffalo/packr v1.30.1
github.com/gobuffalo/packr/v2 v2.8.1 // indirect
github.com/golang/mock v1.6.0
github.com/gosuri/uitable v0.0.4
github.com/karrick/godirwalk v1.16.1 // indirect
github.com/konsorten/go-windows-terminal-sequences v1.0.3 // indirect
github.com/magiconair/properties v1.8.5
github.com/mattn/go-isatty v0.0.12 // indirect
github.com/mattn/go-runewidth v0.0.7 // indirect
github.com/mitchellh/cli v1.1.2
github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db
github.com/mitchellh/mapstructure v1.4.1
github.com/rogpeppe/go-internal v1.8.0 // indirect
github.com/sirupsen/logrus v1.8.1 // indirect
github.com/spf13/cobra v1.2.1 // indirect
github.com/stretchr/testify v1.7.0
go.uber.org/fx v1.13.1
go.uber.org/zap v1.17.0
golang.org/x/crypto v0.0.0-20210813211128-0a44fdfbc16e // indirect
go.uber.org/zap v1.18.1
golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 // indirect
golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect
golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e // indirect
golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf // indirect
golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b // indirect
golang.org/x/tools v0.1.2 // indirect
gopkg.in/yaml.v2 v2.4.0
)
598 changes: 592 additions & 6 deletions go.sum
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion internal/benchmark/gke/v1.1.0/2.0_control_plane_configuration.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ categories:
check_type: multi_param
impact: External mechanisms for authentication generally require additional software to be
deployed.
eval_expr: "'$0' != ''; && '$0' == '$1';"
eval_expr: "'${0}' != ''; && '${0}' == '${1}';"
default_value: See the GKE documentation for the default value.
references:
- https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks
Expand Down
62 changes: 31 additions & 31 deletions internal/benchmark/gke/v1.1.0/3.0_worker_nodes.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,13 +15,13 @@ categories:
audit:
- ps -ef | grep kube-proxy |grep 'kubeconfig' | grep -o 'kubeconfig=[^"]\S*'
| awk -F "=" '{print $2}' |awk 'FNR <= 1'
- 'stat -c %a #0'
- 'stat -c %a ${0}'
remediation: Run the below command (based on the file location on your system) on the each worker
node. For example,
chmod 644 <proxy kubeconfig file>
check_type: multi_param
impact: None
eval_expr: "$1 <= 644;"
eval_expr: "${1} <= 644;"
default_value: See the GKE documentation for the default value.
references:
- https://kubernetes.io/docs/admin/kube-proxy/
Expand All @@ -33,13 +33,13 @@ categories:
profile_applicability: Master
audit:
- ps -ef | grep kube-proxy |grep 'kubeconfig' | grep -o 'kubeconfig=[^"]\S*' | awk -F "=" '{print $2}' | awk 'FNR <= 1'
- 'stat -c %U:%G #0'
- 'stat -c %U:%G ${0}'
remediation: Run the below command (based on the file location on your system) on the each worker
node. For example,
chown root:root <proxy kubeconfig file>
check_type: multi_param
impact: None
eval_expr: "'$1' == 'root:root';"
eval_expr: "'${1}' == 'root:root';"
default_value: See the GKE documentation for the default value.
references:
- hthttps://kubernetes.io/docs/admin/kube-proxy/
Expand All @@ -51,12 +51,12 @@ categories:
profile_applicability: Master
audit:
- ps -ef | grep kubelet |grep ' --config' | grep -o ' --config=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
- 'stat -c %a #0'
- 'stat -c %a ${0}'
remediation: Run the following command (using the config file location identied in the Audit step)
chmod 644 /var/lib/kubelet/config.yaml
check_type: multi_param
impact: None
eval_expr: "$1 <= 644;"
eval_expr: "${1} <= 644;"
default_value: See the GKE documentation for the default value.
references:
- https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/
Expand All @@ -69,12 +69,12 @@ categories:
profile_applicability: Master
audit:
- ps -ef | grep kubelet |grep ' --config' | grep -o ' --config=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
- 'stat -c %U:%G #0'
- 'stat -c %U:%G ${0}'
remediation: Run the following command (using the config file location identied in the Audit step)
chown root:root /etc/kubernetes/kubelet.conf
check_type: multi_param
impact: None
eval_expr: "'$1' == 'root:root';"
eval_expr: "'${1}' == 'root:root';"
default_value: See the GKE documentation for the default value.
references:
- https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/
Expand All @@ -85,12 +85,12 @@ categories:
profile_applicability: Master
audit:
- ps -ef | grep kubelet |grep ' --config' | grep -o ' --config=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
- 'grep -A5 ''authentication'' #0 | grep -A1 ''anonymous''| grep -o ''enabled:[^"]\S*''| awk -F ":" ''{print $2}'' |awk ''FNR <= 1'''
- 'grep -A5 ''authentication'' ${0} | grep -A1 ''anonymous''| grep -o ''enabled:[^"]\S*''| awk -F ":" ''{print $2}'' |awk ''FNR <= 1'''
- ps -ef | grep kubelet |grep ' --anonymous-auth' | grep -o ' --anonymous-auth=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
remediation: If using a Kubelet config file, edit the file to set authentication anonymous enabled to false.\n If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
check_type: multi_param
impact: Anonymous requests will be rejected.
eval_expr: "'$1' == 'false'; || '$2' == 'false';"
eval_expr: "'${1}' == 'false'; || '${1}' == 'false';"
default_value: See the GKE documentation for the default value.
references:
- https://kubernetes.io/docs/admin/kubelet/
Expand All @@ -101,7 +101,7 @@ categories:
audit:
- ps -ef | grep kubelet |grep ' --config' | grep -o ' --config=[^"]\S*' | awk
-F "=" '{print $2}' |awk 'FNR <= 1'
- ' grep -A5 ''authorization'' #0 | grep ''mode:[^"]\S*''| awk -F ":" ''{print
- ' grep -A5 ''authorization'' ${0} | grep ''mode:[^"]\S*''| awk -F ":" ''{print
$2}'' |awk ''FNR <= 1'''
- ps -ef | grep kubelet |grep ' --authorization-mode' | grep -o ' --authorization-mode=[^"]\S*'
| awk -F "=" '{print $2}' |awk 'FNR <= 1'
Expand All @@ -113,7 +113,7 @@ categories:
--authorization-mode=Webhook
check_type: multi_param
impact: Unauthorized requests will be denied.
eval_expr: "'$1' != 'AlwaysAllow'; && '$2' != 'AlwaysAllow';"
eval_expr: "'${1}' != 'AlwaysAllow'; && '${1}' != 'AlwaysAllow';"
default_value: See the GKE documentation for the default value.
references:
- https://kubernetes.io/docs/admin/kubelet/
Expand All @@ -124,7 +124,7 @@ categories:
audit:
- ps -ef | grep kubelet |grep ' --config' | grep -o ' --config=[^"]\S*' | awk
-F "=" '{print $2}' |awk 'FNR <= 1'
- ' grep -A10 ''authentication'' #0 |grep -A1 ''x509'' |grep ''clientCAFile:[^"]\S*''|
- ' grep -A10 ''authentication'' ${0} |grep -A1 ''x509'' |grep ''clientCAFile:[^"]\S*''|
awk -F ":" ''{print $2}'' |awk ''FNR <= 1'''
- ps -ef | grep kubelet |grep ' --client-ca-file' | grep -o ' --client-ca-file=[^"]\S*'
| awk -F "=" '{print $2}' |awk 'FNR <= 1'
Expand All @@ -134,7 +134,7 @@ categories:
--client-ca-file=<path/to/client-ca-file>
check_type: multi_param
impact: You require TLS to be configured on apiserver as well as kubelets.
eval_expr: "'$1' != ''; || '$2' != '';"
eval_expr: "'${1}' != ''; || '${1}' != '';"
default_value: See the GKE documentation for the default value.
references:
- https://kubernetes.io/docs/admin/kubelet/
Expand All @@ -145,7 +145,7 @@ categories:
audit:
- ps -ef | grep kubelet |grep ' --read-only-port' | grep -o ' --read-only-port=[^"]\S*'
| awk -F "=" '{print $2}' |awk 'FNR <= 1'
- ' grep ''readOnlyPort'' #0 |grep ''readOnlyPort:[^"]\S*''| awk -F ":"
- ' grep ''readOnlyPort'' ${0} |grep ''readOnlyPort:[^"]\S*''| awk -F ":"
''{print $2}'' |awk ''FNR <= 1'''
remediation: |-
If using a Kubelet config file, edit the file to set readOnlyPort to 0.
Expand All @@ -156,7 +156,7 @@ categories:
check_type: multi_param
impact: Removal of the read-only port will require that any service which made
use of it will need to be re-configured to use the main Kubelet API.
eval_expr: "'$0' != ''; || '$1' == '0';"
eval_expr: "'${0}' != ''; || '${1}' == '0';"
default_value: See the GKE documentation for the default value.
references:
- https://kubernetes.io/docs/admin/kubelet/
Expand All @@ -166,7 +166,7 @@ categories:
audit:
- ps -ef | grep kubelet |grep ' --config' | grep -o ' --config=[^"]\S*' | awk
-F "=" '{print $2}' |awk 'FNR <= 1'
- ' grep ''streamingConnectionIdleTimeout'' #0 |grep ''streamingConnectionIdleTimeout:[^"]\S*''|
- ' grep ''streamingConnectionIdleTimeout'' ${0} |grep ''streamingConnectionIdleTimeout:[^"]\S*''|
awk -F ":" ''{print $2}'' |awk ''FNR <= 1'''
- ps -ef | grep kubelet |grep ' --streamingConnectionIdleTimeout' | grep -o
' --streamingConnectionIdleTimeout=[^"]\S*' | awk -F "=" '{print $2}' |awk
Expand All @@ -177,7 +177,7 @@ categories:
--streaming-connection-idle-timeout=5m
check_type: multi_param
impact: Long-lived connections could be interrupted.
eval_expr: "'$1' != '0'; && '$2' != '0s';"
eval_expr: "'${1}' != '0'; && '${1}' != '0s';"
default_value: See the GKE documentation for the default value.
references:
- https://kubernetes.io/docs/admin/kubelet/
Expand All @@ -189,7 +189,7 @@ categories:
audit:
- ps -ef | grep kubelet |grep ' --config' | grep -o ' --config=[^"]\S*' | awk
-F "=" '{print $2}' |awk 'FNR <= 1'
- ' grep ''protectKernelDefaults'' #0 |grep ''protectKernelDefaults:[^"]\S*''|
- ' grep ''protectKernelDefaults'' ${0} |grep ''protectKernelDefaults:[^"]\S*''|
awk -F ":" ''{print $2}'' |awk ''FNR <= 1'''
- ps -ef | grep kubelet |grep ' --protect-kernel-defaults' | grep -o ' --protect-kernel-defaults=[^"]\S*'
| awk -F "=" '{print $2}' |awk 'FNR <= 1'
Expand All @@ -199,7 +199,7 @@ categories:
--protect-kernel-defaults=true
check_type: multi_param
impact: You would have to re-tune kernel parameters to match kubelet parameters.
eval_expr: "'$1' == 'true'; || '$2' == 'true';"
eval_expr: "'${1}' == 'true'; || '${1}' == 'true';"
default_value: See the GKE documentation for the default value.
references:
- https://kubernetes.io/docs/admin/kubelet/
Expand All @@ -209,7 +209,7 @@ categories:
audit:
- ps -ef | grep kubelet |grep ' --config' | grep -o ' --config=[^"]\S*' | awk
-F "=" '{print $2}' |awk 'FNR <= 1'
- ' grep ''makeIPTablesUtilChains'' #0 |grep ''makeIPTablesUtilChains:[^"]\S*''|
- ' grep ''makeIPTablesUtilChains'' ${0} |grep ''makeIPTablesUtilChains:[^"]\S*''|
awk -F ":" ''{print $2}'' |awk ''FNR <= 1'''
- ps -ef | grep kubelet |grep ' --make-iptables-util-chains' | grep -o ' --make-iptables-util-chains=[^"]\S*'
| awk -F "=" '{print $2}' |awk 'FNR <= 1'
Expand All @@ -220,7 +220,7 @@ categories:
impact: Kubelet would manage the iptables on the system and keep it in sync.
If you are using any other iptables management solution, then there might
be some conflicts
eval_expr: "('$1' != 'false'; && '$2' == ''; ) || '$2' == 'true';"
eval_expr: "('${1}' != 'false'; && '${1}' == ''; ) || '${1}' == 'true';"
default_value: See the GKE documentation for the default value.
references:
- https://kubernetes.io/docs/admin/kubelet/
Expand All @@ -237,7 +237,7 @@ categories:
impact: Some cloud providers may require this flag to ensure that hostname matches
names issued by the cloud provider. In these environments, this recommendation
should not apply.
eval_expr: "'$0' == '';"
eval_expr: "'${0}' == '';"
default_value: See the GKE documentation for the default value.
references:
- https://kubernetes.io/docs/admin/kubelet/
Expand All @@ -251,7 +251,7 @@ categories:
audit:
- ps -ef | grep kubelet |grep ' --config' | grep -o ' --config=[^"]\S*' | awk
-F "=" '{print $2}' |awk 'FNR <= 1'
- ' grep ''event-qps'' #0 |grep ''event-qps:[^"]\S*''| awk -F ":" ''{print
- ' grep ''event-qps'' ${0} |grep ''event-qps:[^"]\S*''| awk -F ":" ''{print
$2}'' |awk ''FNR <= 1'''
- ps -ef | grep kubelet |grep ' --event-qps' | grep -o ' --event-qps=[^"]\S*'
| awk -F "=" '{print $2}' |awk 'FNR <= 1'
Expand All @@ -263,7 +263,7 @@ categories:
impact: Setting this parameter to 0 could result in a denial of service condition
due to excessive events being created. The cluster's event processing and
storage systems should be scaled to handle expected event loads.
eval_expr: "('$1' != '0'; && '$2' == ''; ) || '$2' != '0';"
eval_expr: "('${1}' != '0'; && '${1}' == ''; ) || '${1}' != '0';"
default_value: See the GKE documentation for the default value.
references:
- https://kubernetes.io/docs/admin/kubelet/
Expand All @@ -275,9 +275,9 @@ categories:
audit:
- ps -ef | grep kubelet |grep ' --config' | grep -o ' --config=[^"]\S*' | awk
-F "=" '{print $2}' |awk 'FNR <= 1'
- ' grep ''tlsCertFile'' #0 |grep ''tlsCertFile:[^"]\S*''| awk -F ":" ''{print
- ' grep ''tlsCertFile'' ${0} |grep ''tlsCertFile:[^"]\S*''| awk -F ":" ''{print
$2}'' |awk ''FNR <= 1'''
- ' grep ''tlsPrivateKeyFile'' #0 |grep ''tlsPrivateKeyFile:[^"]\S*''| awk
- ' grep ''tlsPrivateKeyFile'' ${0} |grep ''tlsPrivateKeyFile:[^"]\S*''| awk
-F ":" ''{print $2}'' |awk ''FNR <= 1'''
- ps -ef | grep kubelet |grep ' --tls-cert-file' | grep -o ' --tls-cert-file=[^"]\S*'
| awk -F "=" '{print $2}' |awk 'FNR <= 1'
Expand All @@ -289,7 +289,7 @@ categories:
check_type: multi_param
impact: TLS and client certificate authentication must be configured for your Kubernetes cluster
deployment.
eval_expr: "('$1' != ''; && '$2' != '';) || ('$3' != ''; && '$4' != '';)"
eval_expr: "('${1}' != ''; && '${1}' != '';) || ('${3}' != ''; && '${4}' != '';)"
default_value: See the GKE documentation for the default value.
references:
- https://kubernetes.io/docs/admin/kubelet/
Expand All @@ -302,7 +302,7 @@ categories:
audit:
- ps -ef | grep kubelet |grep ' --config' | grep -o ' --config=[^"]\S*' | awk
-F "=" '{print $2}' |awk 'FNR <= 1'
- ' grep ''rotateCertificates'' #0 |grep ''rotateCertificates:[^"]\S*''|
- ' grep ''rotateCertificates'' ${0} |grep ''rotateCertificates:[^"]\S*''|
awk -F ":" ''{print $2}'' |awk ''FNR <= 1'''
- ps -ef | grep kubelet |grep ' --rotate-certificates' | grep -o ' --rotate-certificates=[^"]\S*'
| awk -F "=" '{print $2}' |awk 'FNR <= 1'
Expand All @@ -313,7 +313,7 @@ categories:
variable.
check_type: multi_param
impact: None
eval_expr: "('$1' == ''; || '$1' == 'true'; ) || '$2' == 'true';"
eval_expr: "('${1}' == ''; || '${1}' == 'true'; ) || '${1}' == 'true';"
default_value: See the GKE documentation for the default value.
references:
- https://github.com/kubernetes/kubernetes/pull/41912
Expand All @@ -333,7 +333,7 @@ categories:
--feature-gates=RotateKubeletServerCertificate=true
check_type: multi_param
impact: None
eval_expr: "'$0' == 'true';"
eval_expr: "'${0}' == 'true';"
default_value: See the GKE documentation for the default value.
references:
- https://github.com/kubernetes/kubernetes/pull/45059
Expand Down
Loading

0 comments on commit 9313215

Please sign in to comment.