Update latest Azure Kubernetes Service (AKS) schema

.github/dependabot.yml

@@ -0,0 +1,15 @@
+---
+version: 2
+updates:
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: weekly
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: weekly

.github/workflows/build.yml

@@ -13,9 +13,14 @@ on:
       - "*.md"
       - "LICENSE"
       - "NOTICE"
+env:
+  GO_VERSION: "1.16"
+  KIND_VERSION: "v0.11.1"
+  KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
+
 jobs:
-  build:
-    name: Build
+  lint:
+    name: Lint
     runs-on: ubuntu-18.04
     steps:
       - name: Setup Go
@@ -26,16 +31,64 @@ jobs:
         uses: actions/checkout@v2
       - name: yaml-lint
         uses: ibiqlik/action-yamllint@v3
+  unit:
+    name: Unit tests
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Setup Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.16
+      - name: Checkout code
+        uses: actions/checkout@v2
       - name: Run unit tests
         run: make tests
       - name: Upload code coverage
-        uses: codecov/codecov-action@v1
+        uses: codecov/codecov-action@v2
         with:
           file: ./coverage.txt
+  e2e:
+    name: E2e tests
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Setup Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.16
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Setup Kubernetes cluster (KIND)
+        uses: engineerd/setup-kind@v0.5.0
+        with:
+          version: ${{ env.KIND_VERSION }}
+          image: ${{ env.KIND_IMAGE }}
+          name: kube-bench
+      - name: Test connection to Kubernetes cluster
+        run: |
+          kubectl cluster-info
+          kubectl describe node
       - name: Run integration tests
-        run: make integration-tests
+        run: |
+          make integration-test
+      - name: Compare output with expected output
+        uses: GuillaumeFalourd/diff-action@v1
+        with:
+          first_file_path: ./test.data
+          second_file_path: integration/testdata/Expected_output.data
+          expected_result: PASSED
+  release:
+    name: Release snapshot
+    runs-on: ubuntu-18.04
+    needs: [e2e, unit]
+    steps:
+      - name: Setup Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.16
+      - name: Checkout code
+        uses: actions/checkout@v2
       - name: Dry-run release snapshot
         uses: goreleaser/goreleaser-action@v2
         with:
-          version: v0.148.0
+          version: v0.169.0
           args: release --snapshot --skip-publish --rm-dist

.github/workflows/mkdocs-deploy.yaml

@@ -0,0 +1,37 @@
+---
+# This is a manually triggered workflow to build and publish the MkDocs from the
+# main branch to GitHub pages at https://aquasecurity.github.io/kube-bench.
+name: Deploy documentation
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: Version to be deployed
+        required: true
+
+jobs:
+  deploy:
+    name: Deploy documentation
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Checkout main
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+          persist-credentials: true
+      - uses: actions/setup-python@v2
+        with:
+          python-version: 3.x
+      - run: |
+          pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
+          pip install mike
+          pip install mkdocs-macros-plugin
+        env:
+          # Note: It is not the same as ${{ secrets.GITHUB_TOKEN }} !
+          GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}
+      - run: |
+          git config user.name "aqua-bot"
+          git config user.email "aqua-bot@users.noreply.github.com"
+      - run: |
+          mike deploy --push --update-aliases ${{ github.event.inputs.version }} latest

.github/workflows/publish.yml

@@ -41,7 +41,7 @@ jobs:
           password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
       - name: Get version
         id: get_version
-        uses: crazy-max/ghaction-docker-meta@v1
+        uses: crazy-max/ghaction-docker-meta@v3
         with:
           images: ${{ env.REP }}
           tag-semver: |
@@ -52,16 +52,17 @@ jobs:
         uses: docker/build-push-action@v2
         with:
           context: .
-          platforms: linux/amd64
+          platforms: linux/amd64,linux/arm64
           builder: ${{ steps.buildx.outputs.name }}
           push: true
+          build-args: |
+            KUBEBENCH_VERSION=${{ steps.get_version.outputs.version }}
           tags: |
             ${{ env.DOCKERHUB_ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}
             public.ecr.aws/${{ env.ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}
             ${{ env.DOCKERHUB_ALIAS }}/${{ env.REP }}:latest
             public.ecr.aws/${{ env.ALIAS }}/${{ env.REP }}:latest
           cache-from: type=local,src=/tmp/.buildx-cache/release
           cache-to: type=local,mode=max,dest=/tmp/.buildx-cache/release
-
       - name: Image digest
         run: echo ${{ steps.docker_build.outputs.digest }}

.github/workflows/release.yml

@@ -4,6 +4,11 @@ on:
   push:
     tags:
       - "v*"
+env:
+  GO_VERSION: "1.16"
+  KIND_VERSION: "v0.11.1"
+  KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
+
 jobs:
   release:
     name: Release
@@ -17,12 +22,29 @@ jobs:
         uses: actions/checkout@v2
       - name: Run unit tests
         run: make tests
+      - name: Setup Kubernetes cluster (KIND)
+        uses: engineerd/setup-kind@v0.5.0
+        with:
+          version: ${{ env.KIND_VERSION }}
+          image: ${{ env.KIND_IMAGE }}
+          name: kube-bench
+      - name: Test connection to Kubernetes cluster
+        run: |
+          kubectl cluster-info
+          kubectl describe node
       - name: Run integration tests
-        run: make integration-tests
+        run: |
+          make integration-test
+      - name: Compare output with expected output
+        uses: GuillaumeFalourd/diff-action@v1
+        with:
+          first_file_path: ./test.data
+          second_file_path: integration/testdata/Expected_output.data
+          expected_result: PASSED
       - name: Release
         uses: goreleaser/goreleaser-action@v2
         with:
-          version: v0.148.0
+          version: v0.169.0
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -12,3 +12,5 @@ coverage.txt
 # Directory junk file
 .DS_Store
 thumbs.db
+/kubeconfig.kube-bench
+/test.data

.goreleaser.yml

@@ -1,4 +1,5 @@
 ---
+project_name: kube-bench
 env:
   - GO111MODULE=on
   - KUBEBENCH_CFG=/etc/kube-bench/cfg
@@ -28,13 +29,23 @@ archives:
 nfpms:
   -
     vendor: Aqua Security
-    maintainer: Yoav Rotem <yoav.rotem@aquasec.com>
     description: "The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed according to security best practices"
+    maintainer: Yoav Rotem <yoav.rotem@aquasec.com>
     license: Apache-2.0
     homepage: https://github.com/aquasecurity/kube-bench
-    files:
-      "cfg/**/*": "/etc/kube-bench/cfg"
-      "cfg/config.yaml": "/etc/kube-bench/cfg"
+    file_name_template: '{{ .Binary }}_{{.Version}}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{.Arm }}{{ end }}'
+    contents:
+      - src: "cfg/**/*"
+        dst: "/etc/kube-bench/cfg"
+      - src: "cfg/config.yaml"
+        dst: "/etc/kube-bench/cfg/config.yaml"
     formats:
       - deb
       - rpm
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - '^docs'
+      - '^test'
+      - '^release'

CONTRIBUTING.md

@@ -1,6 +1,8 @@
 Thank you for taking an interest in contributing to kube-bench !
 
-## Issues
+## Contributing, bug reporting, openning issues and starting discussions
+
+### Issues
 
 - Feel free to open an issue for any reason as long as you make it clear if the issue is about a bug/feature/question/comment.
 - Please spend some time giving due diligence to the issue tracker. Your issue might be a duplicate. If it is, please add your comment to the existing issue.
@@ -9,16 +11,69 @@ Thank you for taking an interest in contributing to kube-bench !
 - For questions and bug reports, please include the following information:
   - version of kube-bench you are running (from kube-bench version) along with the command line options you are using.
   - version of Kubernetes you are running (from kubectl version or oc version for Openshift).
-  - Verbose log output, by setting the `-v 10` command line option.
-
-## Pull Requests
-
-1. Every Pull Request should have an associated Issue, unless you are fixing a trivial documentation issue.
-1. We will not accept changes to LICENSE, NOTICE or CONTRIBUTING from outside the Aqua Security team. Please raise an Issue if you believe there is a problem with any of these files. 
-1. Your PR is more likely to be accepted if it focuses on just one change.
-1. Describe what the PR does. There's no convention enforced, but please try to be concise and descriptive. Treat the PR description as a commit message. Titles that start with "fix"/"add"/"improve"/"remove" are good examples.
-1. Please add the associated Issue in the PR description.
-1. There's no need to add or tag reviewers.
-1. If a reviewer commented on your code or asked for changes, please remember to mark the discussion as resolved after you address it. PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
-1. Please include a comment with the results before and after your change.
-1. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
+  - Verbose log output, by setting the `-v 3` command line option.
+
+### Bugs
+
+If you think you have found a bug please follow the instructions below.
+
+- Open a [new bug](https://github.com/aquasecurity/kube-bench/issues/new?assignees=&labels=&template=bug_report.md) if a duplicate doesn't already exist.
+- Make sure to give as much information as possible in the following questions
+  - Overview
+  - How did you run kube-bench?
+  - What happened?
+  - What did you expect to happen
+  - Environment
+  - Running processes
+  - Configuration files
+  - Anything else you would like to add
+- Set `-v 3` command line option and save the log output. Please paste this into your issue.
+
+
+### Features
+
+We also use the GitHub discussions to track feature requests. If you have an idea to make kube-bench even more awesome follow the steps below.
+
+- Open a [new discussion](https://github.com/aquasecurity/kube-bench/discussions/new?category_id=19113743) if a duplicate doesn't already exist.
+- Remember users might be searching for your discussion in the future, so please give it a meaningful title to helps others.
+- Clearly define the use case, using concrete examples. For example, I type `this` and kube-bench does `that`.
+- If you would like to include a technical design for your feature please feel free to do so.
+
+### Questions
+
+We also use the GitHub discussions to Q&A.
+
+- Open a [new discussion](https://github.com/aquasecurity/kube-bench/discussions/new) if a duplicate doesn't already exist.
+- Remember users might be searching for your discussion in the future, so please give it a meaningful title to helps others.
+
+
+### Pull Requests
+
+We welcome pull requests!
+- Every Pull Request should have an associated Issue, unless you are fixing a trivial documentation issue.
+- We will not accept changes to LICENSE, NOTICE or CONTRIBUTING from outside the Aqua Security team. Please raise an Issue if you believe there is a problem with any of these files. 
+- Your PR is more likely to be accepted if it focuses on just one change.
+- Describe what the PR does. There's no convention enforced, but please try to be concise and descriptive. Treat the PR description as a commit message. Titles that start with "fix"/"add"/"improve"/"remove" are good examples.
+- Please add the associated Issue in the PR description.
+- Please include a comment with the results before and after your change.
+- There's no need to add or tag reviewers.
+- If a reviewer commented on your code or asked for changes, please remember to mark the discussion as resolved after you address it. PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
+- Please include a comment with the results before and after your change.
+- Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
+- You're welcome to submit a draft PR if you would like early feedback on an idea or an approach.
+- Happy coding!
+
+## Testing locally with kind
+
+Our makefile contains targets to test your current version of kube-bench inside a [Kind](https://kind.sigs.k8s.io/) cluster. This can be very handy if you don't want to run a real Kubernetes cluster for development purposes.
+
+First, you'll need to create the cluster using `make kind-test-cluster` this will create a new cluster if it cannot be found on your machine. By default, the cluster is named `kube-bench` but you can change the name by using the environment variable `KIND_PROFILE`.
+
+*If kind cannot be found on your system the target will try to install it using `go get`*
+
+Next, you'll have to build the kube-bench docker image using `make build-docker`, then we will be able to push the docker image to the cluster using `make kind-push`.
+
+Finally, we can use the `make kind-run` target to run the current version of kube-bench in the cluster and follow the logs of pods created. (Ctrl+C to exit)
+
+Every time you want to test a change, you'll need to rebuild the docker image and push it to cluster before running it again. ( `make build-docker kind-push kind-run` )
+

Dockerfile

@@ -1,24 +1,34 @@
-FROM golang:1.16 AS build
+FROM golang:1.17.6 AS build
 WORKDIR /go/src/github.com/aquasecurity/kube-bench/
+COPY makefile makefile
 COPY go.mod go.sum ./
 COPY main.go .
 COPY check/ check/
 COPY cmd/ cmd/
 COPY internal/ internal/
 ARG KUBEBENCH_VERSION
-ARG GOOS=linux
-ARG GOARCH=amd64
-RUN GO111MODULE=on CGO_ENABLED=0 GOOS=$GOOS GOARCH=$GOARCH go build -a -ldflags "-X github.com/aquasecurity/kube-bench/cmd.KubeBenchVersion=${KUBEBENCH_VERSION} -w" -o /go/bin/kube-bench
+RUN make build && cp kube-bench /go/bin/kube-bench
 
-FROM alpine:3.13 AS run
+FROM alpine:3.15.0 AS run
 WORKDIR /opt/kube-bench/
 # add GNU ps for -C, -o cmd, and --no-headers support
 # https://github.com/aquasecurity/kube-bench/issues/109
 RUN apk --no-cache add procps
 
+# Upgrading apk-tools to remediate CVE-2021-36159 - https://snyk.io/vuln/SNYK-ALPINE314-APKTOOLS-1533752
+# https://github.com/aquasecurity/kube-bench/issues/943
+RUN apk --no-cache upgrade apk-tools
+
 # Openssl is used by OpenShift tests
 # https://github.com/aquasecurity/kube-bench/issues/535
-RUN apk --no-cache add openssl
+# Ensuring that we update/upgrade before installing openssl, to mitigate CVE-2021-3711 and CVE-2021-3712
+RUN apk update && apk upgrade && apk --no-cache add openssl
+
+# Add glibc for running oc command 
+RUN wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub
+RUN wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.33-r0/glibc-2.33-r0.apk
+RUN apk add glibc-2.33-r0.apk
+RUN apk add jq
 
 ENV PATH=$PATH:/usr/local/mount-from-host/bin