ClusterAPI.imageBuilder/packer/goss/goss-command.yaml

262 lines
9.4 KiB
YAML

command:
{{ if ne .Vars.OS "windows" }} # Linux Only
containerd --version | awk -F' ' '{print substr($3,2); }':
exit-status: 0
stdout: []
stderr: []
timeout: 0
crictl ps:
exit-status: 0
stdout: []
stderr: []
timeout: 0
{{if ne .Vars.containerd_wasm_shims_runtimes ""}}
containerd-shim-slight-v1:
exit-status: 1
stdout: [ ]
stderr: ["io.containerd.slight.v1: InvalidArgument(\"Shim namespace cannot be empty\")"]
timeout: 0
containerd-shim-spin-v1:
exit-status: 1
stdout: [ ]
stderr: ["io.containerd.spin.v1: InvalidArgument(\"Shim namespace cannot be empty\")"]
timeout: 0
grep -E 'io\.containerd\.(slight|spin)\.v1' /etc/containerd/config.toml:
exit-status: 0
stdout: [ ]
stderr: [ ]
timeout: 0
{{end}}
{{if eq .Vars.kubernetes_source_type "pkg"}}
{{if eq .Vars.kubernetes_cni_source_type "pkg"}}
crictl images | grep -v 'IMAGE ID' | awk -F'[ /]' '{print $2}' | sed 's/-{{ .Vars.arch }}//g' | sort:
exit-status: 0
stderr: []
timeout: 0
stdout: ["coredns", "etcd", "kube-apiserver", "kube-controller-manager", "kube-proxy", "kube-scheduler", "pause"]
{{end}}
{{end}}
{{if and (eq .Vars.kubernetes_source_type "http") (eq .Vars.kubernetes_cni_source_type "http") (not .Vars.kubernetes_load_additional_imgs)}}
# The second last pipe of awk is to take out arch from kube-apiserver-amd64 (i.e. amd64 or any other arch)
crictl images | grep -v 'IMAGE ID' | awk -F'[ /]' '{print $2}' | sed 's/-{{ .Vars.arch }}//g' | sort:
exit-status: 0
stderr: []
timeout: 0
stdout: ["kube-apiserver", "kube-controller-manager", "kube-proxy", "kube-scheduler"]
{{end}}
{{if and (eq .Vars.kubernetes_source_type "http") (eq .Vars.kubernetes_cni_source_type "http") (.Vars.kubernetes_load_additional_imgs)}}
# The second last pipe of awk is to take out arch from kube-apiserver-amd64 (i.e. amd64 or any other arch)
crictl images | grep -v 'IMAGE ID' | awk -F'[ /]' '{print $2}' | sed 's/-{{ .Vars.arch }}//g' | sort:
exit-status: 0
stderr: []
timeout: 0
stdout: ["coredns", "etcd", "kube-apiserver", "kube-controller-manager", "kube-proxy", "kube-scheduler", "pause"]
{{end}}
{{if eq .Vars.kubernetes_source_type "http"}}
kubectl version --short --client=true -o json | jq .clientVersion.gitVersion | tr -d '"' | awk '{print substr($1,2); }':
exit-status: 0
stdout: [{{ .Vars.kubernetes_version }}]
stderr: []
timeout: 0
kubeadm version -o json | jq .clientVersion.gitVersion | tr -d '"' | awk '{print substr($1,2); }':
exit-status: 0
stdout: [{{ .Vars.kubernetes_version }}]
stderr: []
timeout: 0
kubelet --version | awk -F' ' '{print $2}' | tr -d '"' | awk '{print substr($1,2); }':
exit-status: 0
stdout: [{{ .Vars.kubernetes_version }}]
stderr: []
timeout: 0
{{end}}
{{if eq .Vars.kubernetes_cni_source_type "http"}}
/opt/cni/bin/host-device 2>&1 | awk -F' ' '{print substr($4,2); }':
exit-status: 0
stdout: [{{ .Vars.kubernetes_cni_version }}]
stderr: []
timeout: 0
{{end}}
{{if eq .Vars.OS "photon"}}
cat /sys/kernel/mm/transparent_hugepage/enabled:
exit-status: 0
stdout: ["always [madvise] never"]
stderr: []
timeout: 0
{{end}}
{{range $name, $vers := index .Vars .Vars.OS .Vars.PROVIDER "command"}}
{{ $name }}:
{{range $key, $val := $vers}}
{{$key}}: {{$val}}
{{end}}
{{end}}
{{end}} #End linux only
{{ if eq .Vars.OS "windows" }} # Windows
automatic updates set to notify:
exit-status: 0
exec: powershell -command "(Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' -name AUOptions) -eq '2'"
stdout:
- "True"
timeout: 30000
automatic updates set to notify with correct type:
exit-status: 0
exec: powershell -command "(Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' -name AUOptions).GetType().Name -eq 'Int32'"
stdout:
- "True"
timeout: 30000
automatic updates are disabled:
exit-status: 0
exec: powershell -command "(Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' -name NoAutoUpdate) -eq '1'"
stdout:
- "True"
timeout: 30000
automatic updates are disabled with correct type:
exit-status: 0
exec: powershell -command "(Get-ItemPropertyValue 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' -name NoAutoUpdate).GetType().Name -eq 'Int32'"
stdout:
- "True"
timeout: 30000
kubectl version --client:
exit-status: 0
stdout:
- {{.Vars.kubernetes_version}}
- "windows"
- {{.Vars.arch}}
timeout: 30000
kubeadm version:
exit-status: 0
stdout:
- {{.Vars.kubernetes_version}}
- "windows"
- {{.Vars.arch}}
timeout: 30000
kubelet --version:
exit-status: 0
stdout:
- {{.Vars.kubernetes_version}}
timeout: 10000
{{ if eq .Vars.distribution_version "2019" }}
Windows build version is high enough:
exit-status: 0
exec: powershell -command "(Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name UBR).UBR -ge 1817"
stdout:
- "True"
timeout: 30000
Check HNS Control Flag:
exit-status: 0
exec: powershell -command "(Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\hns\State" -Name HNSControlFlag).HNSControlFlag -eq 80"
stdout:
- True
timeout: 30000
Check WCIFS Flag:
exit-status: 0
exec: powershell -command "(Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\wcifs' -Name WcifsSOPCountDisabled).WcifsSOPCountDisabled -eq 0"
stdout:
- True
timeout: 30000
{{end}}
{{ if eq .Vars.runtime "containerd" }}
Correct Containerd Version:
exec: "\"/Program Files/containerd/containerd.exe\" --version"
exit-status: 0
stdout:
- "{{.Vars.containerd_version}}"
timeout: 30000
Correct Containerd config:
exec: "\"/Program Files/containerd/containerd.exe\" config dump"
exit-status: 0
stdout:
- "sandbox_image = \"{{.Vars.pause_image}}\""
- "conf_dir = \"C:/etc/cni/net.d\""
- "bin_dir = \"C:/opt/cni/bin\""
- "root = \"C:\\\\ProgramData\\\\containerd\\\\root\""
- "state = \"C:\\\\ProgramData\\\\containerd\\\\state\""
timeout: 30000
Check Windows Defender Exclusions are in place:
exit-status: 0
exec: powershell -command "(Get-MpPreference | select ExclusionProcess)"
stdout:
- \Program Files\containerd\containerd.exe,
- \Program Files\containerd\ctr.exe
Check SMB CompartmentNamespace Flag:
exit-status: 0
exec: powershell -command "(Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\hns\State' -Name EnableCompartmentNamespace).EnableCompartmentNamespace -eq 1"
stdout:
- True
timeout: 30000
Windows Port Range is Expanded:
exit-status: 0
exec: netsh int ipv4 show dynamicportrange tcp
stdout:
- "Start Port : 34000"
- "Number of Ports : 31536"
timeout: 30000
{{end}}
{{ if eq .Vars.runtime "docker-ee" }}
Correct Docker Version:
exec: "docker.exe version"
exit-status: 0
stdout:
- "{{.Vars.docker_ee_version}}"
timeout: 30000
{{end}}
{{if eq .Vars.PROVIDER "azure"}}
Verify firewall rule to block 168.63.129.16:80 for cve-2021-27075:
exit-status: 0
exec: powershell -command "(Get-NetFirewallRule -ErrorAction Stop -DisplayName 'Block-Outbound-168.63.129.16-port-80-for-cve-2021-27075').Enabled"
stdout:
- True
stderr: []
timeout: 30000
# this could be moved to place for other providers if they want to install it
Key Vault gMSA binary is installed:
exec: powershell -command "Test-Path -Path C:\Windows\System32\CCGAKVPlugin.dll"
exit-status: 0
stdout:
- "True"
timeout: 30000
Key Vault gMSA binary COM is registered:
exec: powershell -command "(Get-Item 'HKLM:SYSTEM\CurrentControlSet\Control\CCG\COMClasses\{CCC2A336-D7F3-4818-A213-272B7924213E}') | Ft -autosize -wrap"
exit-status: 0
stdout:
- "CCC2A336-D7F3-4818-A213-272B7924213E"
timeout: 30000
Key Vault gMSA binary is registered:
exec: powershell -command "Get-ItemProperty -Path 'HKLM:SOFTWARE\CLASSES\CLSID\{CCC2A336-D7F3-4818-A213-272B7924213E}\InprocServer32\'"
exit-status: 0
stdout:
- "C:\\Windows\\System32\\CCGAKVPlugin.dll"
timeout: 30000
Key Vault gMSA CCG interface is registered:
exec: powershell -command "(Get-Item 'HKLM:SOFTWARE\Classes\Interface\{6ECDA518-2010-4437-8BC3-46E752B7B172}') | Ft -autosize -wrap"
exit-status: 0
stdout:
- "ICcgDomainAuthCredentials"
timeout: 30000
{{end}}
{{ if ne .Vars.ssh_source_url "" }}
Check permission of OpenSSH directory for SYSTEM:
exec: powershell -command "((Get-Acl 'C:\Program Files\OpenSSH').Access | Where-Object{$_.IdentityReference -eq 'NT AUTHORITY\SYSTEM' -and $_.FileSystemRights -eq 'FullControl'}) -ne $null"
exit-status: 0
stdout:
- True
timeout: 30000
Check permission of OpenSSH directory for Administrators:
exec: powershell -command "((Get-Acl 'C:\Program Files\OpenSSH').Access | Where-Object{$_.IdentityReference -eq 'BUILTIN\Administrators' -and $_.FileSystemRights -eq 'FullControl'}) -ne $null"
exit-status: 0
stdout:
- True
timeout: 30000
Check permission of OpenSSH directory for Users:
exec: powershell -command "((Get-Acl 'C:\Program Files\OpenSSH').Access | Where-Object{$_.IdentityReference -eq 'BUILTIN\Users' -and $_.FileSystemRights -eq 'ReadAndExecute, Synchronize'}) -eq $null"
exit-status: 0
stdout:
- True
timeout: 30000
{{end}}
{{end}} #end windows