import (
"bytes"
- "errors"
+ "fmt"
"os/exec"
+
+ "check"
)
const (
cmdDockerCmdPs = "ps"
cmdDockerCmdPsParams = "--no-trunc"
cmdDockerCmdPsFilter = "--filter"
- cmdDockerCmdPsFilterArgs = "label=io.rancher.stack_service.name=kubernetes/kubernetes"
+ cmdDockerCmdPsFilterArgs = "label=io.rancher.stack_service.name="
cmdDockerCmdPsFormat = "--format"
cmdDockerCmdPsFormatArgs = "{{.Command}}"
- k8sProcess = "kube-apiserver"
)
-// GetK8sParams returns parameters of running Kubernetes API server.
+// Rancher implements Informer interface.
+type Rancher struct {
+ check.Informer
+}
+
+// GetAPIParams returns parameters of running Kubernetes API server.
// It queries default environment set in configuration file.
-func GetK8sParams() ([]string, error) {
+func (r *Rancher) GetAPIParams() ([]string, error) {
+ return getProcessParams(check.APIProcess, check.APIService)
+}
+
+func getProcessParams(process check.Command, service check.Service) ([]string, error) {
hosts, err := listHosts()
if err != nil {
return []string{}, err
}
for _, host := range hosts {
- cmd, err := getK8sCmd(host)
+ cmd, err := getPsCmdOutput(host, service)
if err != nil {
return []string{}, err
}
if len(cmd) > 0 {
- i := bytes.Index(cmd, []byte(k8sProcess))
+ i := bytes.Index(cmd, []byte(process.String()))
if i == -1 {
- return []string{}, errors.New("missing " + k8sProcess + " command")
+ return []string{}, fmt.Errorf("missing %s command", process)
}
- return btos(cmd[i+len(k8sProcess):]), nil
+ return btos(cmd[i+len(process.String()):]), nil
}
}
return []string{}, nil
return btos(out), nil
}
-// getK8sCmd returns running Kubernetes API server command with its parameters.
+// getPsCmdOutput returns running Kubernetes service command with its parameters.
// It queries default environment set in configuration file.
-func getK8sCmd(host string) ([]byte, error) {
+func getPsCmdOutput(host string, service check.Service) ([]byte, error) {
// Following is equivalent to:
// $ rancher --host $HOST \
// docker ps --no-trunc \
- // --filter "label=io.rancher.stack_service.name=kubernetes/kubernetes" \
+ // --filter "label=io.rancher.stack_service.name=$SERVICE" \
// --format "{{.Command}}"
cmd := exec.Command(bin, paramHost, host,
cmdDocker, cmdDockerCmdPs, cmdDockerCmdPsParams,
- cmdDockerCmdPsFilter, cmdDockerCmdPsFilterArgs,
+ cmdDockerCmdPsFilter, cmdDockerCmdPsFilterArgs+service.String(),
cmdDockerCmdPsFormat, cmdDockerCmdPsFormatArgs)
out, err := cmd.Output()
if err != nil {
import (
"bytes"
- "errors"
+ "fmt"
"io/ioutil"
"os/user"
"path/filepath"
"golang.org/x/crypto/ssh"
kh "golang.org/x/crypto/ssh/knownhosts"
+ "check"
"check/config"
)
etcd = "etcd"
worker = "worker"
- k8sProcess = "kube-apiserver"
- dockerInspectCmd = "docker inspect " + k8sProcess + " --format {{.Args}}"
-
knownHostsFile = "~/.ssh/known_hosts"
)
-// GetK8sParams returns parameters of running Kubernetes API servers.
+// Raw implements Informer interface.
+type Raw struct {
+ check.Informer
+}
+
+// GetAPIParams returns parameters of running Kubernetes API servers.
// It queries only cluster nodes with "controlplane" role.
-func GetK8sParams() ([]string, error) {
+func (r *Raw) GetAPIParams() ([]string, error) {
+ return getProcessParams(check.APIProcess)
+}
+
+func getProcessParams(process check.Command) ([]string, error) {
nodes, err := config.GetNodesInfo()
if err != nil {
return []string{}, err
for _, node := range nodes {
if isControlplaneNode(node.Role) {
- cmd, err := getK8sCmd(node)
+ cmd, err := getInspectCmdOutput(node, process)
if err != nil {
return []string{}, err
}
if len(cmd) > 0 {
- i := bytes.Index(cmd, []byte(k8sProcess))
+ i := bytes.Index(cmd, []byte(process.String()))
if i == -1 {
- return []string{}, errors.New("missing " + k8sProcess + " command")
+ return []string{}, fmt.Errorf("missing %s command", process)
}
- return btos(cmd[i+len(k8sProcess):]), nil
+ return btos(cmd[i+len(process.String()):]), nil
}
}
}
return false
}
-func getK8sCmd(node config.NodeInfo) ([]byte, error) {
+func getInspectCmdOutput(node config.NodeInfo, cmd check.Command) ([]byte, error) {
path, err := expandPath(node.SSHKeyPath)
if err != nil {
return nil, err
}
defer conn.Close()
- out, err := runCommand(dockerInspectCmd, conn)
+ out, err := runCommand(fmt.Sprintf("docker inspect %s --format {{.Args}}", cmd), conn)
if err != nil {
return nil, err
}
"check/validators/master/api"
)
-// Check validates master node complies with CIS guideliness.
-func Check(k8sParams []string) {
- log.Printf("IsBasicAuthFileAbsent: %t\n", api.IsBasicAuthFileAbsent(k8sParams))
- log.Printf("IsTokenAuthFileAbsent: %t\n", api.IsTokenAuthFileAbsent(k8sParams))
- log.Printf("IsInsecureAllowAnyTokenAbsent: %t\n", api.IsInsecureAllowAnyTokenAbsent(k8sParams))
-
- log.Printf("IsAnonymousAuthDisabled: %t\n", api.IsAnonymousAuthDisabled(k8sParams))
- log.Printf("IsInsecurePortUnbound: %t\n", api.IsInsecurePortUnbound(k8sParams))
- log.Printf("IsProfilingDisabled: %t\n", api.IsProfilingDisabled(k8sParams))
- log.Printf("IsRepairMalformedUpdatesDisabled: %t\n", api.IsRepairMalformedUpdatesDisabled(k8sParams))
- log.Printf("IsServiceAccountLookupEnabled: %t\n", api.IsServiceAccountLookupEnabled(k8sParams))
-
- log.Printf("IsKubeletHTTPSAbsentOrEnabled: %t\n", api.IsKubeletHTTPSAbsentOrEnabled(k8sParams))
- log.Printf("IsInsecureBindAddressAbsentOrLoopback: %t\n", api.IsInsecureBindAddressAbsentOrLoopback(k8sParams))
- log.Printf("IsSecurePortAbsentOrValid: %t\n", api.IsSecurePortAbsentOrValid(k8sParams))
-
- log.Printf("IsAlwaysAdmitAdmissionControlPluginExcluded: %t\n", api.IsAlwaysAdmitAdmissionControlPluginExcluded(k8sParams))
-
- log.Printf("IsAlwaysPullImagesAdmissionControlPluginIncluded: %t\n", api.IsAlwaysPullImagesAdmissionControlPluginIncluded(k8sParams))
- log.Printf("IsDenyEscalatingExecAdmissionControlPluginIncluded: %t\n", api.IsDenyEscalatingExecAdmissionControlPluginIncluded(k8sParams))
- log.Printf("IsSecurityContextDenyAdmissionControlPluginIncluded: %t\n", api.IsSecurityContextDenyAdmissionControlPluginIncluded(k8sParams))
- log.Printf("IsPodSecurityPolicyAdmissionControlPluginIncluded: %t\n", api.IsPodSecurityPolicyAdmissionControlPluginIncluded(k8sParams))
- log.Printf("IsServiceAccountAdmissionControlPluginIncluded: %t\n", api.IsServiceAccountAdmissionControlPluginIncluded(k8sParams))
- log.Printf("IsNodeRestrictionAdmissionControlPluginIncluded: %t\n", api.IsNodeRestrictionAdmissionControlPluginIncluded(k8sParams))
- log.Printf("IsEventRateLimitAdmissionControlPluginIncluded: %t\n", api.IsEventRateLimitAdmissionControlPluginIncluded(k8sParams))
-
- log.Printf("IsNamespaceLifecycleAdmissionControlPluginNotExcluded: %t\n", api.IsNamespaceLifecycleAdmissionControlPluginNotExcluded(k8sParams))
-
- log.Printf("IsAlwaysAllowAuthorizationModeExcluded: %t\n", api.IsAlwaysAllowAuthorizationModeExcluded(k8sParams))
- log.Printf("IsNodeAuthorizationModeIncluded: %t\n", api.IsNodeAuthorizationModeIncluded(k8sParams))
-
- log.Printf("IsAuditLogPathSet: %t\n", api.IsAuditLogPathSet(k8sParams))
- log.Printf("IsAuditLogMaxAgeValid: %t\n", api.IsAuditLogMaxAgeValid(k8sParams))
- log.Printf("IsAuditLogMaxBackupValid: %t\n", api.IsAuditLogMaxBackupValid(k8sParams))
- log.Printf("IsAuditLogMaxSizeValid: %t\n", api.IsAuditLogMaxSizeValid(k8sParams))
-
- log.Printf("IsRequestTimeoutValid: %t\n", api.IsRequestTimeoutValid(k8sParams))
-
- log.Printf("IsKubeletCertificateAuthoritySet: %t\n", api.IsKubeletCertificateAuthoritySet(k8sParams))
- log.Printf("IsClientCertificateAuthoritySet: %t\n", api.IsClientCertificateAuthoritySet(k8sParams))
- log.Printf("IsEtcdCertificateAuthoritySet: %t\n", api.IsEtcdCertificateAuthoritySet(k8sParams))
-
- log.Printf("IsServiceAccountKeySet: %t\n", api.IsServiceAccountKeySet(k8sParams))
- log.Printf("IsKubeletClientCertificateAndKeySet: %t\n", api.IsKubeletClientCertificateAndKeySet(k8sParams))
- log.Printf("IsEtcdCertificateAndKeySet: %t\n", api.IsEtcdCertificateAndKeySet(k8sParams))
- log.Printf("IsTLSCertificateAndKeySet: %t\n", api.IsTLSCertificateAndKeySet(k8sParams))
-
- log.Printf("IsStrongCryptoCipherInUse: %t\n", api.IsStrongCryptoCipherInUse(k8sParams))
+// CheckAPI validates API server complies with CIS guideliness.
+func CheckAPI(params []string) {
+ log.Println("==> API:")
+ log.Printf("IsBasicAuthFileAbsent: %t\n", api.IsBasicAuthFileAbsent(params))
+ log.Printf("IsTokenAuthFileAbsent: %t\n", api.IsTokenAuthFileAbsent(params))
+ log.Printf("IsInsecureAllowAnyTokenAbsent: %t\n", api.IsInsecureAllowAnyTokenAbsent(params))
+
+ log.Printf("IsAnonymousAuthDisabled: %t\n", api.IsAnonymousAuthDisabled(params))
+ log.Printf("IsInsecurePortUnbound: %t\n", api.IsInsecurePortUnbound(params))
+ log.Printf("IsProfilingDisabled: %t\n", api.IsProfilingDisabled(params))
+ log.Printf("IsRepairMalformedUpdatesDisabled: %t\n", api.IsRepairMalformedUpdatesDisabled(params))
+ log.Printf("IsServiceAccountLookupEnabled: %t\n", api.IsServiceAccountLookupEnabled(params))
+
+ log.Printf("IsKubeletHTTPSAbsentOrEnabled: %t\n", api.IsKubeletHTTPSAbsentOrEnabled(params))
+ log.Printf("IsInsecureBindAddressAbsentOrLoopback: %t\n", api.IsInsecureBindAddressAbsentOrLoopback(params))
+ log.Printf("IsSecurePortAbsentOrValid: %t\n", api.IsSecurePortAbsentOrValid(params))
+
+ log.Printf("IsAlwaysAdmitAdmissionControlPluginExcluded: %t\n", api.IsAlwaysAdmitAdmissionControlPluginExcluded(params))
+
+ log.Printf("IsAlwaysPullImagesAdmissionControlPluginIncluded: %t\n", api.IsAlwaysPullImagesAdmissionControlPluginIncluded(params))
+ log.Printf("IsDenyEscalatingExecAdmissionControlPluginIncluded: %t\n", api.IsDenyEscalatingExecAdmissionControlPluginIncluded(params))
+ log.Printf("IsSecurityContextDenyAdmissionControlPluginIncluded: %t\n", api.IsSecurityContextDenyAdmissionControlPluginIncluded(params))
+ log.Printf("IsPodSecurityPolicyAdmissionControlPluginIncluded: %t\n", api.IsPodSecurityPolicyAdmissionControlPluginIncluded(params))
+ log.Printf("IsServiceAccountAdmissionControlPluginIncluded: %t\n", api.IsServiceAccountAdmissionControlPluginIncluded(params))
+ log.Printf("IsNodeRestrictionAdmissionControlPluginIncluded: %t\n", api.IsNodeRestrictionAdmissionControlPluginIncluded(params))
+ log.Printf("IsEventRateLimitAdmissionControlPluginIncluded: %t\n", api.IsEventRateLimitAdmissionControlPluginIncluded(params))
+
+ log.Printf("IsNamespaceLifecycleAdmissionControlPluginNotExcluded: %t\n", api.IsNamespaceLifecycleAdmissionControlPluginNotExcluded(params))
+
+ log.Printf("IsAlwaysAllowAuthorizationModeExcluded: %t\n", api.IsAlwaysAllowAuthorizationModeExcluded(params))
+ log.Printf("IsNodeAuthorizationModeIncluded: %t\n", api.IsNodeAuthorizationModeIncluded(params))
+
+ log.Printf("IsAuditLogPathSet: %t\n", api.IsAuditLogPathSet(params))
+ log.Printf("IsAuditLogMaxAgeValid: %t\n", api.IsAuditLogMaxAgeValid(params))
+ log.Printf("IsAuditLogMaxBackupValid: %t\n", api.IsAuditLogMaxBackupValid(params))
+ log.Printf("IsAuditLogMaxSizeValid: %t\n", api.IsAuditLogMaxSizeValid(params))
+
+ log.Printf("IsRequestTimeoutValid: %t\n", api.IsRequestTimeoutValid(params))
+
+ log.Printf("IsKubeletCertificateAuthoritySet: %t\n", api.IsKubeletCertificateAuthoritySet(params))
+ log.Printf("IsClientCertificateAuthoritySet: %t\n", api.IsClientCertificateAuthoritySet(params))
+ log.Printf("IsEtcdCertificateAuthoritySet: %t\n", api.IsEtcdCertificateAuthoritySet(params))
+
+ log.Printf("IsServiceAccountKeySet: %t\n", api.IsServiceAccountKeySet(params))
+ log.Printf("IsKubeletClientCertificateAndKeySet: %t\n", api.IsKubeletClientCertificateAndKeySet(params))
+ log.Printf("IsEtcdCertificateAndKeySet: %t\n", api.IsEtcdCertificateAndKeySet(params))
+ log.Printf("IsTLSCertificateAndKeySet: %t\n", api.IsTLSCertificateAndKeySet(params))
+
+ log.Printf("IsStrongCryptoCipherInUse: %t\n", api.IsStrongCryptoCipherInUse(params))
}