From 76b8b54eba0460996d3fa4dc3a38deb64490ce87 Mon Sep 17 00:00:00 2001
From: Sean McGinnis <stmcg@amazon.com>
Date: Wed, 28 Jun 2023 13:52:10 +0000
Subject: [PATCH] bloodhound: Add base Kubernetes checker binary

This adds a multicall binary to be used as the common entry point for
all Kubernetes CIS benchmark checks.

Signed-off-by: Sean McGinnis <stmcg@amazon.com>
---
 ... => cis-checks-bottlerocket-metadata-json} |  0
 packages/os/cis-checks-k8s-metadata-json      |  5 ++
 packages/os/os.spec                           | 23 +++++++-
 .../src/bin/kubernetes-checks/main.rs         | 54 +++++++++++++++++++
 4 files changed, 81 insertions(+), 1 deletion(-)
 rename packages/os/{bottlerocket-cis-checks-metadata-json => cis-checks-bottlerocket-metadata-json} (100%)
 create mode 100644 packages/os/cis-checks-k8s-metadata-json
 create mode 100644 sources/bloodhound/src/bin/kubernetes-checks/main.rs

diff --git a/packages/os/bottlerocket-cis-checks-metadata-json b/packages/os/cis-checks-bottlerocket-metadata-json
similarity index 100%
rename from packages/os/bottlerocket-cis-checks-metadata-json
rename to packages/os/cis-checks-bottlerocket-metadata-json
diff --git a/packages/os/cis-checks-k8s-metadata-json b/packages/os/cis-checks-k8s-metadata-json
new file mode 100644
index 00000000000..5e896952489
--- /dev/null
+++ b/packages/os/cis-checks-k8s-metadata-json
@@ -0,0 +1,5 @@
+{
+    "name": "CIS Kubernetes Benchmark (Worker Node)",
+    "version": "v1.7.1",
+    "url": "https://www.cisecurity.org/benchmark/kubernetes"
+}
diff --git a/packages/os/os.spec b/packages/os/os.spec
index 19b0621a549..a29ed310692 100644
--- a/packages/os/os.spec
+++ b/packages/os/os.spec
@@ -26,8 +26,11 @@ Source7: host-ctr-toml
 Source8: oci-default-hooks-json
 Source9: cfsignal-toml
 Source10: warm-pool-wait-toml
-Source11: bottlerocket-cis-checks-metadata-json
+Source11: cis-checks-bottlerocket-metadata-json
 Source12: 00-resolved.conf
+%if %{with k8s_runtime}
+Source13: cis-checks-k8s-metadata-json
+%endif
 
 # 1xx sources: systemd units
 Source100: apiserver.service
@@ -383,6 +386,9 @@ for p in \
 ; do
   install -p -m 0755 ${HOME}/.cache/%{__cargo_target}/release/${p} %{buildroot}%{_cross_bindir}
 done
+%if %{with k8s_runtime}
+install -p -m 0755 ${HOME}/.cache/%{__cargo_target}/release/kubernetes-checks %{buildroot}%{_cross_bindir}
+%endif
 
 # Add the bloodhound checker symlinks
 mkdir -p %{buildroot}%{_cross_libexecdir}/cis-checks/bottlerocket
@@ -397,6 +403,17 @@ for p in \
 done
 install -m 0644 %{S:11} %{buildroot}%{_cross_libexecdir}/cis-checks/bottlerocket/metadata.json
 
+# Only add the k8s checks if it is a k8s variant
+%if %{with k8s_runtime}
+mkdir -p %{buildroot}%{_cross_libexecdir}/cis-checks/kubernetes
+for p in \
+  k8s04010300 k8s04010400 k8s04020700 k8s04020800 \
+; do
+  ln -rs %{buildroot}%{_cross_bindir}/kubernetes-checks %{buildroot}%{_cross_libexecdir}/cis-checks/kubernetes/${p}
+done
+install -m 0644 %{S:13} %{buildroot}%{_cross_libexecdir}/cis-checks/kubernetes/metadata.json
+%endif
+
 for p in apiclient ; do
   install -p -m 0755 ${HOME}/.cache/.static/%{__cargo_target_static}/release/${p} %{buildroot}%{_cross_bindir}
 done
@@ -645,5 +662,9 @@ install -p -m 0644 %{S:121} %{buildroot}%{_cross_unitdir}
 %{_cross_bindir}/bloodhound
 %{_cross_bindir}/bottlerocket-checks
 %{_cross_libexecdir}/cis-checks/bottlerocket
+%if %{with k8s_runtime}
+%{_cross_bindir}/kubernetes-checks
+%{_cross_libexecdir}/cis-checks/kubernetes
+%endif
 
 %changelog
diff --git a/sources/bloodhound/src/bin/kubernetes-checks/main.rs b/sources/bloodhound/src/bin/kubernetes-checks/main.rs
new file mode 100644
index 00000000000..fda93868b95
--- /dev/null
+++ b/sources/bloodhound/src/bin/kubernetes-checks/main.rs
@@ -0,0 +1,54 @@
+use bloodhound::results::*;
+use std::env;
+use std::path::Path;
+
+fn main() {
+    let args: Vec<String> = env::args().collect();
+    let cmd_name = Path::new(&args[0])
+        .file_name()
+        .unwrap_or_default()
+        .to_str()
+        .unwrap_or_default();
+
+    let checker: Box<dyn Checker> = match cmd_name {
+        "k8s04010300" => Box::new(ManualChecker {
+            name: cmd_name.to_string(),
+            title: "If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive".to_string(),
+            id: "4.1.3".to_string(),
+            level: 1,
+        }),
+        "k8s04010400" => Box::new(ManualChecker {
+            name: cmd_name.to_string(),
+            title: "If proxy kubeconfig file exists ensure ownership is set to root:root".to_string(),
+            id: "4.1.4".to_string(),
+            level: 1,
+        }),
+        "k8s04020700" => Box::new(ManualChecker {
+            name: cmd_name.to_string(),
+            title: "Ensure that the --hostname-override argument is not set (not valid for Bottlerocket)".to_string(),
+            id: "4.2.7".to_string(),
+            level: 1,
+        }),
+        "k8s04020800" => Box::new(ManualChecker {
+            name: cmd_name.to_string(),
+            title: "Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture".to_string(),
+            id: "4.2.8".to_string(),
+            level: 2,
+        }),
+        &_ => {
+            eprintln!("Command {} is not supported.", cmd_name);
+            return;
+        }
+    };
+
+    // Check if the metadata subcommand is being called
+    let get_metadata = env::args().nth(1).unwrap_or_default() == "metadata";
+
+    if get_metadata {
+        let metadata = checker.metadata();
+        println!("{}", metadata);
+    } else {
+        let result = checker.execute();
+        println!("{}", result);
+    }
+}