bloodhound: Add base Kubernetes checker binary

This adds a multicall binary to be used as the common entry point for
all Kubernetes CIS benchmark checks.

Signed-off-by: Sean McGinnis <[email protected]>

packages/os/cis-checks-k8s-metadata-json

@@ -0,0 +1,5 @@
+{
+    "name": "CIS Kubernetes Benchmark (Worker Node)",
+    "version": "v1.7.1",
+    "url": "https://www.cisecurity.org/benchmark/kubernetes"
+}

packages/os/os.spec

@@ -26,8 +26,11 @@ Source7: host-ctr-toml
 Source8: oci-default-hooks-json
 Source9: cfsignal-toml
 Source10: warm-pool-wait-toml
-Source11: bottlerocket-cis-checks-metadata-json
+Source11: cis-checks-bottlerocket-metadata-json
 Source12: 00-resolved.conf
+%if %{with k8s_runtime}
+Source13: cis-checks-k8s-metadata-json
+%endif
 
 # 1xx sources: systemd units
 Source100: apiserver.service
@@ -383,6 +386,9 @@ for p in \
 ; do
   install -p -m 0755 ${HOME}/.cache/%{__cargo_target}/release/${p} %{buildroot}%{_cross_bindir}
 done
+%if %{with k8s_runtime}
+install -p -m 0755 ${HOME}/.cache/%{__cargo_target}/release/kubernetes-checks %{buildroot}%{_cross_bindir}
+%endif
 
 # Add the bloodhound checker symlinks
 mkdir -p %{buildroot}%{_cross_libexecdir}/cis-checks/bottlerocket
@@ -397,6 +403,17 @@ for p in \
 done
 install -m 0644 %{S:11} %{buildroot}%{_cross_libexecdir}/cis-checks/bottlerocket/metadata.json
 
+# Only add the k8s checks if it is a k8s variant
+%if %{with k8s_runtime}
+mkdir -p %{buildroot}%{_cross_libexecdir}/cis-checks/kubernetes
+for p in \
+  k8s04010300 k8s04010400 k8s04020700 k8s04020800 \
+; do
+  ln -rs %{buildroot}%{_cross_bindir}/kubernetes-checks %{buildroot}%{_cross_libexecdir}/cis-checks/kubernetes/${p}
+done
+install -m 0644 %{S:13} %{buildroot}%{_cross_libexecdir}/cis-checks/kubernetes/metadata.json
+%endif
+
 for p in apiclient ; do
   install -p -m 0755 ${HOME}/.cache/.static/%{__cargo_target_static}/release/${p} %{buildroot}%{_cross_bindir}
 done
@@ -645,5 +662,9 @@ install -p -m 0644 %{S:121} %{buildroot}%{_cross_unitdir}
 %{_cross_bindir}/bloodhound
 %{_cross_bindir}/bottlerocket-checks
 %{_cross_libexecdir}/cis-checks/bottlerocket
+%if %{with k8s_runtime}
+%{_cross_bindir}/kubernetes-checks
+%{_cross_libexecdir}/cis-checks/kubernetes
+%endif
 
 %changelog

sources/bloodhound/src/bin/kubernetes-checks/main.rs

@@ -0,0 +1,54 @@
+use bloodhound::results::*;
+use std::env;
+use std::path::Path;
+
+fn main() {
+    let args: Vec<String> = env::args().collect();
+    let cmd_name = Path::new(&args[0])
+        .file_name()
+        .unwrap_or_default()
+        .to_str()
+        .unwrap_or_default();
+
+    let checker: Box<dyn Checker> = match cmd_name {
+        "k8s04010300" => Box::new(ManualChecker {
+            name: cmd_name.to_string(),
+            title: "If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive".to_string(),
+            id: "4.1.3".to_string(),
+            level: 1,
+        }),
+        "k8s04010400" => Box::new(ManualChecker {
+            name: cmd_name.to_string(),
+            title: "If proxy kubeconfig file exists ensure ownership is set to root:root".to_string(),
+            id: "4.1.4".to_string(),
+            level: 1,
+        }),
+        "k8s04020700" => Box::new(ManualChecker {
+            name: cmd_name.to_string(),
+            title: "Ensure that the --hostname-override argument is not set (not valid for Bottlerocket)".to_string(),
+            id: "4.2.7".to_string(),
+            level: 1,
+        }),
+        "k8s04020800" => Box::new(ManualChecker {
+            name: cmd_name.to_string(),
+            title: "Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture".to_string(),
+            id: "4.2.8".to_string(),
+            level: 2,
+        }),
+        &_ => {
+            eprintln!("Command {} is not supported.", cmd_name);
+            return;
+        }
+    };
+
+    // Check if the metadata subcommand is being called
+    let get_metadata = env::args().nth(1).unwrap_or_default() == "metadata";
+
+    if get_metadata {
+        let metadata = checker.metadata();
+        println!("{}", metadata);
+    } else {
+        let result = checker.execute();
+        println!("{}", result);
+    }
+}