cmd

Documentation

Index

• Constants
• Variables
• func Execute()
• func NewRunFilter(opts FilterOpts) (check.Predicate, error)
• type FilterOpts
• type KubeVersion
  • func (k *KubeVersion) BaseVersion() string
• type VersionResponse

Constants

const REGION = "AWS_REGION"

REGION ...

Variables

var KubeBenchVersion string

var RootCmd = &cobra.Command{
	Use:   os.Args[0],
	Short: "Run CIS Benchmarks checks against a Kubernetes deployment",
	Long:  `This tool runs the CIS Kubernetes Benchmark (https://www.cisecurity.org/benchmark/kubernetes/)`,
	Run: func(cmd *cobra.Command, args []string) {
		bv, err := getBenchmarkVersion(kubeVersion, benchmarkVersion, viper.GetViper())
		if err != nil {
			exitWithError(fmt.Errorf("unable to determine benchmark version: %v", err))
		}
		glog.V(1).Infof("Running checks for benchmark %v", bv)

		if isMaster() {
			glog.V(1).Info("== Running master checks ==")
			runChecks(check.MASTER, loadConfig(check.MASTER, bv))

			valid, err := validTargets(bv, []string{string(check.CONTROLPLANE)}, viper.GetViper())
			if err != nil {
				exitWithError(fmt.Errorf("error validating targets: %v", err))
			}
			if valid {
				glog.V(1).Info("== Running control plane checks ==")
				runChecks(check.CONTROLPLANE, loadConfig(check.CONTROLPLANE, bv))
			}
		} else {
			glog.V(1).Info("== Skipping master checks ==")
		}

		valid, err := validTargets(bv, []string{string(check.ETCD)}, viper.GetViper())
		if err != nil {
			exitWithError(fmt.Errorf("error validating targets: %v", err))
		}
		if valid && isEtcd() {
			glog.V(1).Info("== Running etcd checks ==")
			runChecks(check.ETCD, loadConfig(check.ETCD, bv))
		} else {
			glog.V(1).Info("== Skipping etcd checks ==")
		}

		glog.V(1).Info("== Running node checks ==")
		runChecks(check.NODE, loadConfig(check.NODE, bv))

		valid, err = validTargets(bv, []string{string(check.POLICIES)}, viper.GetViper())
		if err != nil {
			exitWithError(fmt.Errorf("error validating targets: %v", err))
		}
		if valid {
			glog.V(1).Info("== Running policies checks ==")
			runChecks(check.POLICIES, loadConfig(check.POLICIES, bv))
		} else {
			glog.V(1).Info("== Skipping policies checks ==")
		}

		valid, err = validTargets(bv, []string{string(check.MANAGEDSERVICES)}, viper.GetViper())
		if err != nil {
			exitWithError(fmt.Errorf("error validating targets: %v", err))
		}
		if valid {
			glog.V(1).Info("== Running managed services checks ==")
			runChecks(check.MANAGEDSERVICES, loadConfig(check.MANAGEDSERVICES, bv))
		} else {
			glog.V(1).Info("== Skipping managed services checks ==")
		}

		writeOutput(controlsCollection)
		exitCode := exitCodeSelection(controlsCollection)
		os.Exit(exitCode)
	},
}

RootCmd represents the base command when called without any subcommands

var TypeMap = map[string][]string{
	"ca":         []string{"cafile", "defaultcafile"},
	"kubeconfig": []string{"kubeconfig", "defaultkubeconfig"},
	"service":    []string{"svc", "defaultsvc"},
	"config":     []string{"confs", "defaultconf"},
}

Functions

func Execute

func Execute()

Execute adds all child commands to the root command sets flags appropriately. This is called by main.main(). It only needs to happen once to the rootCmd.

func NewRunFilter

func NewRunFilter(opts FilterOpts) (check.Predicate, error)

NewRunFilter constructs a Predicate based on FilterOpts which determines whether tested Checks should be run or not.

Types

type FilterOpts

type FilterOpts struct {
	CheckList string
	GroupList string
	Scored    bool
	Unscored  bool
}

type KubeVersion

type KubeVersion struct {
	Major string
	Minor string

	GitVersion string
	// contains filtered or unexported fields
}

func (*KubeVersion) BaseVersion

func (k *KubeVersion) BaseVersion() string

type VersionResponse

type VersionResponse struct {
	Major        string
	Minor        string
	GitVersion   string
	GitCommit    string
	GitTreeState string
	BuildDate    string
	GoVersion    string
	Compiler     string
	Platform     string
}