kube-bench icon indicating copy to clipboard operation
kube-bench copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

False positive : Kube bench node unable to read from Kubelet config file

Open navzen2000 opened this issue 3 years ago • 7 comments
trafficstars

Kube bench node reported: [FAIL] 4.2.1 Ensure that the anonymous-auth argument is set to false (Automated) [FAIL] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated) [FAIL] 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated) [FAIL] 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)

Here is the excerpt from kubelet config file in use: "authentication": { "anonymous": { "enabled": false }, "webhook": { "cacheTTL": "2m0s", "enabled": true }, "x509": { "clientCAFile": "/etc/kubernetes/ca.crt" } }, "authorization": { "mode": "Webhook", "webhook": { "cacheAuthorizedTTL": "5m0s", "cacheUnauthorizedTTL": "30s" } }, "protectKernelDefaults": true,

Kubelet process points to above config file

/usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --cloud-provider=external --hostname-override=xxxxxxx --kubeconfig=/etc/kubernetes/kubelet.conf --network-plugin=cni --node-ip=xxxxxx --node-labels=hostname=xxxxx,internal_addr=xxxx,displayName=xxx --v=2 --container-runtime=remote --container-runtime-endpoint=unix:///var/run/crio/crio.sock --config=kubelet_conf.json

navzen2000 avatar Aug 23 '22 13:08 navzen2000

@navzen2000 I am also facing the same issue. Did you get any resolution for the above issue?

Algoss avatar Sep 06 '22 07:09 Algoss

@navzen2000 I am also facing the same issue. Did you get any resolution for the above issue?

No resolution yet!

navzen2000 avatar Sep 06 '22 09:09 navzen2000

@navzen2000 What is the full path of the kubelet_conf.json file? Would you try to add this path to the config.yaml (https://github.com/aquasecurity/kube-bench/blob/main/cfg/config.yaml#L153) then try again?

mozillazg avatar Sep 10 '22 12:09 mozillazg

@mozillazg The path is : /var/lib/kubelet/ It would be better if this path with filename(any) can be added as argument to docker image command so that any customized location can be used by kube bench

navzen2000 avatar Sep 15 '22 09:09 navzen2000

@navzen2000 Thanks for your suggestion. We may implement it in the future.

mozillazg avatar Sep 17 '22 09:09 mozillazg

I'm also facing this issue by the way, just wanna confirm. This issue still has't resolve in latest release right ?

➜  kubespray-2.20.0 kubectl logs pod/kube-bench-xcpv4 |grep FAIL                                                                                                                                                         [25/10/22 | 8:04:36]
[FAIL] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)
1 checks FAIL
0 checks FAIL
1 checks FAIL

root@-k8s-node-08901dd4:~# cat /var/lib/kubelet/config.yaml | grep -A4 authorization
authorization:
  mode: Webhook
  webhook:
    cacheAuthorizedTTL: 0s
    cacheUnauthorizedTTL: 0s

nicolasjulian avatar Oct 25 '22 13:10 nicolasjulian

The issue is here https://github.com/aquasecurity/kube-bench/blob/main/cfg/config.yaml#L156

At least in gke kubelet uses config from /home/kubernetes/kubelet-config.yaml Directory /etc/kubernetes/kubelet-config.yaml contains some default kubelet config which is not configured properly and not used by kubelet.

Workaround to set /home/kubernetes/kubelet-config.yaml as first path works. Ideally it should parse config location from kubelet args.

anjmao avatar Nov 15 '23 13:11 anjmao