Fix issues with checks for kubelet configuration files #228
Conversation
This fix applies to only checks for kubernetes versions 1.8 and 1.11. See #208.
There are checks for the kubeconfig for both kubelet and proxy which the current kube-bench implementation does not check for properly. kube-bench checks the wrong files. This PR adds support for variable substitution for all the config file types are that should be checked in the CIS benchmarks. This PR also fixes a buggy in CIS 1.3.0 check 2.2.9, which checks for ownership of the kubelet config file /var/lib/kubelet/config.yaml but recommends changing ownership of kubelet kubeconfig file /etc/kubernetes/kubelet.conf as remediation.
There was a problem hiding this comment.
Basically looks good! I think we need to hang on to the .manifest extension files though.
Do we need to take another look at the control plane components too? I wonder if we have confused the config yaml and the kubeconfig (credentials) files for things like kube-apiserver.yaml as well. We can do that in a separate issue if you prefer - could you take a look and raise an issue if you think there is a problem there?
cfg/1.8/config.yaml
Outdated
| @@ -9,36 +9,13 @@ | |||
|
|
|||
| master: | |||
| apiserver: | |||
| confs: | |||
| - /etc/kubernetes/manifests/kube-apiserver.yaml | |||
| - /etc/kubernetes/manifests/kube-apiserver.manifest | |||
There was a problem hiding this comment.
I think we still need the possibility of .manifest extension (as an alternative to .yaml) for kops and kubespray installations (see c44e0db)
There was a problem hiding this comment.
(same for scheduler, controller manager & etcd below in this file)
There was a problem hiding this comment.
I don't see anything wrong with keeping them. My idea was to clean up our configs a bit and there is no actual problem keeping them.
cfg/1.8/config.yaml
Outdated
| defaultconf: /etc/kubernetes/manifests/etcd.yaml | ||
|
|
||
| node: |
There was a problem hiding this comment.
Just checking - do we not need these node settings in the 1.8 version of config.yaml because we pick it up from the defaults in cfg/config.yaml?
There was a problem hiding this comment.
Yes we pick the default config from cfg/config.yaml
This is a more detailed solution to the issue reported in the PR #208. It fixes issues with variable substitutions for node benchmarks.
There are 3 major config files for kubelets k8s nodes:
In the previous versions of kube-bench there was no distinction between these files and results of running node checks were misleading. This PR adds the distinction and also adds support for a new type of variable
kubeconfig.