rke2-cis-1.7 failed three tests for a maser node due to issue with the config.yaml or/and tests 'audit' #1626
Comments
|
cc @andypitcher |
|
@shenghongfu thanks for bringing this up. Here are some answers:
In rancher/security-scan/cfg you can see that the check is not present .
Generally speaking, there are some imprecisions that we need to tackle to align the profiles that we maintain in security-scan/cfg with kube-bench for rke1, rke2 and k3s. For the time being I suggest that you refer to the profiles posted in https://github.com/rancher/security-scan/tree/master/package/cfg. We will provide some updates soon in kube-bench, feel free to contribute as well. |
|
@andypitcher Thanks a lot for the comments and sharing of the links, which are very helpful! Will keep an eye for kube-bench updates:-). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Overview
To help see and understand the issue I have written a perl script/tool that formats a test report (generated with json option) into html so that the detail can be seen in a web browser, as you will see in the image below:
As you can see from the report there are three 'FAIL' tests only and they are in the section 1.1. The report has audit/reason info attached to each test so that we can tell what the possible root cause is - I would say it has a 99% certainty. So below are the 'bug' s and fixes I believe are:
For test 1.1.7, the audit should be checking the permission of the file "/var/lib/rancher/rke2/server/db/etcd/config", instead of thinking it is a directory and try to find files with the 'etcd' patten.
For test 1.1.15, kube-bench could not find a 'kubeconfig' entry for the ''scheduler" component in the cfg/confg.yaml file and thus used the default entry of "/etc/kubernetes/scheduler.conf". A fix is to add an entry of "/var/lib/rancher/rke2/server/cred/scheduler.kubeconfig" for the coponent of "scheduler", like the image shown below
For test 1.1.17, this will need someone to verify. I believe the cause of the issue is similar to the test 1.1.15, but it is a little tricker. I think this test should de checking the permission of the file "/var/lib/rancher/rke2/server/cred/controller.kubeconfig", but in the kube-bench cfg/config.yaml file there is NOT a component of 'controller'. Hence a dirty fix should be to change the test audit
from
audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c permissions=%a $controllermanagerkubeconfig; fi'"
to
audit: "/bin/sh -c 'if test -e /var/lib/rancher/rke2/server/cred/controller.kubeconfig; then stat -c permissions=%a /var/lib/rancher/rke2/server/cred/controller.kubeconfig; fi'"
Environment
What is your version of kube-bench? I have used the latest version, v0.7.3.
[What is your version of Kubernetes? tested both v1.25.16+rke2r2 and v1.28.9+rke2r1
Since the bug and fixes have been described above, I have skipped other requirements for this bug report. But please contact me if there are any questions or needs.
The text was updated successfully, but these errors were encountered: