[Proposal] Checking kubelet process arguments and kubelet config file

[ttousai]

On the matter of considering the kubelet config file for kubelet audits (#195) , I think the simplest solution is to wrap the standard CIS audit commands in a script that also checks the config files as well and returns the expected output for the audit tests.

We already do something similar in cfg/1.8/master tests for configuration files (1.4), where we wrap the actual test in a script that checks if the file exists in the first place before running the audit command. It is a flexible, expressive solution that does not require code changes in kube-bench, and our work will be limited to getting the script right.

This is an example of such a wrapper (according to the CIS document commandline params take precedence.

# get config file path
f=$(ps -C kubelet -o cmd --no-headers | sed 's%^.*--config[= ]\([^ ]*\) .*$%\1%')
# check for command line param
ps -C kublet -o cmd --no-headers | grep '\-\-allow-privileged'
if [ $? -eq 0 ]; then
	echo use standard audit command
	# ps -fC kubelet
elif [ -f "$f" ]; then
	echo write audit command to check kubelet config
else
  echo default
fi

[ttousai]

Closing this issue in favor of the proposal in #239.