Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add kube-bench dry run to script/validate #173

Merged
merged 1 commit into from
Dec 12, 2023
Merged

Add kube-bench dry run to script/validate #173

merged 1 commit into from
Dec 12, 2023

Conversation

andypitcher
Copy link
Contributor

@andypitcher andypitcher commented Nov 24, 2023
edited
Loading

Parent issue: rancher/cis-operator#227

This PR adds another layer of verification, to ensure that a given CIS benchmark is not faulty.

Let's say we introduce a typo in cis-1.7/master.yaml, (tiype instead of type), but yamllint didn't return any errors. Kube-bench can be run against the given benchmark (e.g cis-1.7), if any of the cis-1.7's files have a typo it won't run.
kube-bench indicates which component (file) is faulty : error setting up master controls: non-master controls file specified

Example of scenario:

$ git diff
diff --git a/package/cfg/cis-1.7/master.yaml b/package/cfg/cis-1.7/master.yaml
index aa27cb4..647a813 100644
--- a/package/cfg/cis-1.7/master.yaml
+++ b/package/cfg/cis-1.7/master.yaml
@@ -3,7 +3,7 @@ controls:
 version: "1.7"
 id: 1
 text: "Control Plane Security Configuration"
-type: "master"
+type: "master"
 groups:
   - id: 1.1
     text: "Control Plane Node Configuration Files"

YAMLLINT test 🟢

$ yamllint security-scan/package/cfg/cis-1.7/master.yaml | grep -v line
security-scan/package/cfg/cis-1.7/master.yaml

KUBE-BENCH dry-run 🔴

$ ./kube-bench --config-dir security-scan/package/cfg --config security-scan/package/cfg/config.yaml --benchmark cis-1.7
Warning: Kubernetes version was not auto-detected because kubectl could not connect to the Kubernetes server. This may be because the kubeconfig information is missing or has credentials that do not match the server. Assuming default version 1.18

error setting up master controls: non-master controls file specified

@andypitcher andypitcher requested a review from a team as a code owner November 24, 2023 16:22
@andypitcher andypitcher requested a review from pjbgf November 24, 2023 16:23
@andypitcher andypitcher mentioned this pull request Nov 24, 2023
Closed
2 tasks
@andypitcher andypitcher requested a review from rayandas December 7, 2023 18:22
@rayandas
Copy link
Contributor

@andypitcher can you please rebase it?

@andypitcher andypitcher force-pushed the add-kb-dry-run-validate branch from 3119daf to d8e0cfe Compare December 12, 2023 10:25
@andypitcher andypitcher self-assigned this Dec 12, 2023
pjbgf
pjbgf reviewed Dec 12, 2023
View reviewed changes
scripts/validate Outdated Show resolved Hide resolved
@andypitcher
Add kube-bench dry-run to script/validate
d99188a 
Tests the given profiles with kube-bench on top of testing their yaml structure. If either of the files in package/cfg/cgf files introduce typos, kube-bench will fail.
@andypitcher andypitcher force-pushed the add-kb-dry-run-validate branch from d8e0cfe to d99188a Compare December 12, 2023 13:45
rayandas
rayandas approved these changes Dec 12, 2023
View reviewed changes
Copy link
Contributor

@rayandas rayandas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@andypitcher andypitcher merged commit 201a4aa into rancher:master Dec 12, 2023
@andypitcher andypitcher mentioned this pull request Dec 28, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rayandas rayandas rayandas approved these changes

@pjbgf pjbgf pjbgf approved these changes

Assignees

@andypitcher andypitcher

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@andypitcher @rayandas @pjbgf