OpenShift-Ordeal is an open source audit scanner who perform audit check on OpenShift Cluster and output it security report
The audit tests are the full implementation of CIS openshift Benchmark specification
audit result now can be leveraged as webhook via user plugin(using go plugin)
- root cause of the security issue.
- proposed remediation for security issue.
git clone https://github.com/chen-keinan/openshift-ordeal
cd openshift-ordeal
make build
./openshift-ordeal
Usage: openshift-ordeal [--version] [--help] <command> [<args>]
Available commands are:
-r , --report : run audit tests and generate failure and warn report
-i , --include: execute only specific audit test, example -i=1.2.3,1.4.5
-e , --exclude: ignore specific audit tests, example -e=1.2.3,1.4.5
-c , --classic: test report in classic view, example -c
The openshift-ordeal expose hook for user plugins Example :
- openshiftBenchAuditResultHook - this hook accepts audit benchmark results as found by audit test
go build -buildmode=plugin -o=~/<plugin folder>/bench_plugin.so /<plugin folder>/bench_plugin.go
cp /<plugin folder>/bench_plugin.so ~/.openshift-ordeal/plugins/compile/bench_plugin.so
Note: Plugin and binary must compile with the same linux env
The openshift-ordeal support cis specs and can be easily extended:
- master config file change spec CIS openshift Benchmark specification
both specs can be easily extended by amended the spec files under
~/.openshift-ordeal/benchmarks/openshift/v1.0.0folder
- code contribution is welcome !! , contribution with tests and passing linter is more than welcome
- /.dev folder include vagrantfile to be used for development : Dev Instruction