You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On the matter of considering the kubelet config file for kubelet audits (#195) , I think the simplest solution is to wrap the standard CIS audit commands in a script that also checks the config files as well and returns the expected output for the audit tests.
We already do something similar in cfg/1.8/master tests for configuration files (1.4), where we wrap the actual test in a script that checks if the file exists in the first place before running the audit command. It is a flexible, expressive solution that does not require code changes in kube-bench, and our work will be limited to getting the script right.
This is an example of such a wrapper (according to the CIS document commandline params take precedence.
# get config file path
f=$(ps -C kubelet -o cmd --no-headers | sed 's%^.*--config[= ]\([^ ]*\) .*$%\1%')
# check for command line param
ps -C kublet -o cmd --no-headers | grep '\-\-allow-privileged'
if [ $? -eq 0 ]; then
echo use standard audit command
# ps -fC kubelet
elif [ -f "$f" ]; then
echo write audit command to check kubelet config
else
echo default
fi
The text was updated successfully, but these errors were encountered:
On the matter of considering the kubelet config file for kubelet audits (#195) , I think the simplest solution is to wrap the standard CIS audit commands in a script that also checks the config files as well and returns the expected output for the audit tests.
We already do something similar in
cfg/1.8/master
tests for configuration files (1.4), where we wrap the actual test in a script that checks if the file exists in the first place before running the audit command. It is a flexible, expressive solution that does not require code changes in kube-bench, and our work will be limited to getting the script right.This is an example of such a wrapper (according to the CIS document commandline params take precedence.
The text was updated successfully, but these errors were encountered: