Describe the bug
Encountering various errors when executing etcd controls (2.*).

Expected behavior
I expect to receive passed/failed/skipped results based on observed system & application state.

Actual behavior

undefined method `empty?' error encountered in controls 2.1, 2.2, 2.4, & 2.5:

...
×  cis-kubernetes-benchmark:2.1: Ensure that the --cert-file and --key-file arguments are set as appropriate (4 failed)
  ×  ["/usr/bin/etcd -name=...\"] is expected to match /--cert-file=/
  ...
  ×  Enviroment variables for Processes /\/usr\/bin\/etcd/ ETCD_CERT_FILE
  undefined method `empty?' for #<#<Class:0x000000000443df60>:0x0000000006453908>
   
  undefined method `empty?' for #<#<Class:0x000000000443df60>:0x0000000005d4c6a0>
  ×  ["/usr/bin/etcd -name=...\"]" to match /--key-file=/
  ...
  ×  Enviroment variables for Processes /\/usr\/bin\/etcd/ ETCD_KEY_FILE
  undefined method `empty?' for #<#<Class:0x000000000443df60>:0x000000000643f250>
   
  undefined method `empty?' for #<#<Class:0x000000000443df60>:0x0000000005d1bb18>
×  cis-kubernetes-benchmark:2.2: Ensure that the --client-cert-auth argument is set to true (2 failed)
  ×  ["/usr/bin/etcd -name=...\"]" to match /--client-cert-auth=true/
  ...
  ×  Enviroment variables for Processes /\/usr\/bin\/etcd/ ETCD_CLIENT_CERT_AUTH
  undefined method `empty?' for #<#<Class:0x000000000443df60>:0x0000000006125a10>
   
  undefined method `empty?' for #<#<Class:0x000000000443df60>:0x0000000005bc9198>
  ...
×  cis-kubernetes-benchmark:2.4: Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (4 failed)
  ×  ["/usr/bin/etcd -name=...\"]" to match /--peer-cert-file=/
  ...
  ×  Enviroment variables for Processes /\/usr\/bin\/etcd/ ETCD_PEER_CERT_FILE 
  undefined method `empty?' for #<#<Class:0x000000000443df60>:0x0000000006303e90>

  undefined method `empty?' for #<#<Class:0x000000000443df60>:0x0000000005ba25e8>
  ×  ["/usr/bin/etcd -name=...\"] is expected to match /--peer-key-file=/
  ...
  ×  Enviroment variables for Processes /\/usr\/bin\/etcd/ ETCD_PEER_KEY_FILE 
  undefined method `empty?' for #<#<Class:0x000000000443df60>:0x0000000005e12378>

  undefined method `empty?' for #<#<Class:0x000000000443df60>:0x0000000005b901b8>
...

The last result in each control is the issue.

Control Source Code Error encountered in control 2.7:

×  cis-kubernetes-benchmark:2.7: Ensure that a unique Certificate Authority is used for etcd
 ×  Control Source Code Error cis-kubernetes-benchmark-1.0.2/controls/2_etcd_node.rb:133
 undefined local variable or method `cis_level' for #<Inspec::Rule:0x0000000005d64138>

Example code

inspec exec https://github.com/dev-sec/cis-kubernetes-benchmark/archive/1.0.2.tar.gz --color --show-progress -i ~/.ssh/id_rsa --chef-license=accept --no-create-lockfile --bastion-user=bastion_user --bastion-host=bastion.dev.com -t=ssh://[email protected]

OS / Environment

Linux ... 3.10.0-1160.15.2.el7.x86_64 #1 SMP Wed Feb 3 15:06:38 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Inspec Version

4.26.4

Baseline Version

6a960bc7872df07ee38876c5cb750f6637ff026b

Is your feature request related to a problem? Please describe.

Currently this benchmark implements version 1.4.0. Lets compare the differences and implement the missing controls.

Describe the solution you'd like

• identify changes between 1.4.0 and 1.4.1
• implement missing controls

Describe alternatives you've considered

n/a

Additional context

n/a

Just saw that CIS Benchmark v1.3.0 is out. It is available for Kubernetes 1.11.

Let me know if you need help with the implementation of this version :-)

inspec exec https://github.com/dev-sec/cis-kubernetes-benchmark/archive/master.zip --format json WARN: Unresolved specs during Gem::Specification.reset: rake (>= 0) WARN: Clearing out unresolved specs. Please report a bug if this causes problems. /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/rspec-core-3.7.0/lib/rspec/core/formatters/json_formatter.rb:56:in encode': "\xE2" from ASCII-8BIT to UTF-8 (Encoding::UndefinedConversionError)
from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/rspec-core-3.7.0/lib/rspec/core/formatters/json_formatter.rb:56:in to_json' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/rspec-core-3.7.0/lib/rspec/core/formatters/json_formatter.rb:56:in close'
from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/rspec-core-3.7.0/lib/rspec/core/reporter.rb:206:in block in notify' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/rspec-core-3.7.0/lib/rspec/core/reporter.rb:205:in each'
from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/rspec-core-3.7.0/lib/rspec/core/reporter.rb:205:in notify' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/rspec-core-3.7.0/lib/rspec/core/reporter.rb:238:in close'
from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/rspec-core-3.7.0/lib/rspec/core/reporter.rb:193:in close_after' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/rspec-core-3.7.0/lib/rspec/core/reporter.rb:171:in finish'
from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/rspec-core-3.7.0/lib/rspec/core/reporter.rb:81:in report' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/rspec-core-3.7.0/lib/rspec/core/runner.rb:112:in run_specs'
from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.45.13/lib/inspec/runner_rspec.rb:77:in run' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.45.13/lib/inspec/runner.rb:116:in run_tests'
from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.45.13/lib/inspec/runner.rb:100:in run' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.45.13/lib/inspec/base_cli.rb:83:in run_tests'
from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.45.13/lib/inspec/cli.rb:158:in exec' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/thor-0.19.1/lib/thor/command.rb:27:in run'
from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/thor-0.19.1/lib/thor/invocation.rb:126:in invoke_command' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/thor-0.19.1/lib/thor.rb:359:in dispatch'
from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/thor-0.19.1/lib/thor/base.rb:440:in start' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.45.13/bin/inspec:12:in <top (required)>'
from /usr/bin/inspec:23:in load' from /usr/bin/inspec:23:in

The following files reference a metadata-only audit policy in order to prevent logging request/response contents for sensitive resources:

• https://github.com/dev-sec/cis-kubernetes-benchmark/blob/master/controls/3_2_control_plane_logging.rb

A recent bugfix resolves logging of subresource requests which would previously fail with an error. The serviceaccounts/token subresource responds to TokenRequest API calls with a newly minted service account token.

The serviceaccounts/token resource should also be included in the metadata-only audit policy if credentials are not intended to appear in the audit log.

I have just started using inspec to run tests against my infrastructure that is generated via terraform. Everything is working great. I output the terraform results to a JSON file, parse it to create various variables and then use those variables in my tests.

Looking at this profile, Im not quite sure

1. Where should this run from. External to the cluster, inside a container on a node, physically on a worker node etc.
2. Do I need to pass in any external information? IP's of the masters, etc.

Thanks,

New benchmark v.1.5.0 is released.

Hello and thanks for making this available!

Would definitely love to see a CHANGELOG.md. I understand the README declares the current CIS benchmark, but a changelog would be helpful for high level progress without digging into individual commits.

Thanks.

Hi, nice work. I was working on something similar, but now I think I can leverage this tool instead!

Request:

Can you provide a bit more on how to invoke the checks more specifically than just "all"?
Can you provide guidance on your reference cluster that passes all the checks?

Thanks!

I used the etcd cookbook to setup etcd, it seems to use only a single dash for cli options to etcd, ( -data-dir instead of --data-dir ) etcd does not seem to care either way.

This results in etcd_env_vars getting exercised and throwing exceptions such as:
/opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.51.21/lib/resources/platform.rb:18:in initialize': stack level too deep (
SystemStackError)
from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.51.21/lib/inspec/plugins/resource.rb:64:in initialize' from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.51.21/lib/inspec/backend.rb:80:in new'
from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.51.21/lib/inspec/backend.rb:80:in block (3 levels) in create ' from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.51.21/lib/resources/file.rb:40:in initialize'
from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.51.21/lib/inspec/plugins/resource.rb:64:in initialize' from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.51.21/lib/inspec/backend.rb:80:in new'
from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.51.21/lib/inspec/backend.rb:80:in block (3 levels) in create ' from libraries/process_env_var.rb:38:in read_params'
... 11381 levels...
from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/thor-0.19.1/lib/thor/base.rb:440:in start' from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/inspec-1.51.21/bin/inspec:12:in <top (required)>'
from /opt/chefdk/bin/inspec:250:in load' from /opt/chefdk/bin/inspec:250:in

Time permitting I should be able to create a pull request for this soon.

Thanks for putting this project together- are there any plans to support for testing hyperkube based deployments?

I am unable to run InSpec.io cis-k8s-benchmark on my EKS cluster, it'd be nice to have a flag via the cli to provide the cluster arn resource and to run the benchmark against the remote eks cluster.

I couldn't find any information in the README.md file, maybe you have a solution in place you could share with me?

I am looking at running this InSpec profile against the Azure Kubernetes Service, however I'm not sure this is actually possible. I looked at a different (closed) issue, and it states that we need to run this scan against the master/worker nodes.

However, based on the AKS documentation, I do not believe that we have access to the master. There documentation states this:

AKS provides a single-tenant cluster master, with a dedicated API server, Scheduler, etc. You define the number and size of the nodes, and the Azure platform configures the secure communication between the cluster master and nodes. Interaction with the cluster master occurs through Kubernetes APIs, such as kubectl or the Kubernetes dashboard.

This managed cluster master means that you do not need to configure components like a highly available etcd store, but it also means that you cannot access the cluster master directly. Upgrades to Kubernetes are orchestrated through the Azure CLI or Azure portal, which upgrades the cluster master and then the nodes.

In AKS, the Kubernetes master components are part of the managed service provided by Microsoft. Each AKS cluster has their own single-tenanted, dedicated Kubernetes master to provide the API Server, Scheduler, etc. This master is managed and maintained by Microsoft

Based on the above, we have access to the API Server endpoint and access via kubectl.

I'm curious if you know of a way to run the benchmark in this setup against the applicable checks?

Reference:
https://docs.microsoft.com/en-us/azure/aks/concepts-clusters-workloads#cluster-master

I just noticed that 1.2.0 was released last week. You can find it here. It looks like it supports Kubernetes 1.8.