kube-bench
kube-bench copied to clipboard
Published
20 hours ago •
aquasecurity
aquasecurity
CIS-1.9 Kubernetes Policies Checks 5.1.2 and 5.1.4 returns an error connection refused
Overview
Got connection refused error from both the checks.
"actual_value": "E0822 05:42:06.618603 2911167 memcache.go:265] couldn't get current server API group list: Get \"http://localhost:8080/api?timeout=32s\": dial tcp [::1]:8080: connect: connection refused\nE0822 05:42:06.619054 2911167 memcache.go:265] couldn't get current server API group list: Get \"http://localhost:8080/api?timeout=32s\": dial tcp [::1]:8080: connect: connection refused\nWarning: the server doesn't have a resource type 'secrets'\n\nThe connection to the server localhost:8080 was refused - did you specify the right host or port?\ncanGetListWatchSecretsAsSystemAuthenticated:",
How did you run kube-bench?
I'm running kube-bench inside a pod using the job.yaml
What happened?
echo \"canGetListWatchSecretsAsSystemAuthenticated: $(kubectl auth can-i get,list,watch secrets --all-namespaces --as=system:authenticated)\"
echo \"canCreatePodsAsSystemAuthenticated: $(kubectl auth can-i create pods --all-namespaces --as=system:authenticated)\"
The above command runs successfully when ran outside the pod but failed when run inside a pod. Also, if it helps, if the flag --as=system:authenticated is not provided, the command run successfully.
What did you expect to happen:
The audit script to run successfully as it did when run outside the pod.
Environment
kube-bench: v0.8.0
k8s version: v1.27.15
Running processes
Below is the output from the pod.
{
"AuditConfig": "",
"AuditEnv": "",
"IsMultiple": false,
"actual_value": "E0822 05:42:06.618603 2911167 memcache.go:265] couldn't get current server API group list: Get \"http://localhost:8080/api?timeout=32s\": dial tcp [::1]:8080: connect: connection refused\nE0822 05:42:06.619054 2911167 memcache.go:265] couldn't get current server API group list: Get \"http://localhost:8080/api?timeout=32s\": dial tcp [::1]:8080: connect: connection refused\nWarning: the server doesn't have a resource type 'secrets'\n\nThe connection to the server localhost:8080 was refused - did you specify the right host or port?\ncanGetListWatchSecretsAsSystemAuthenticated:",
"audit": "echo \"canGetListWatchSecretsAsSystemAuthenticated: $(kubectl auth can-i get,list,watch secrets --all-namespaces --as=system:authenticated)\"",
"expected_result": "'canGetListWatchSecretsAsSystemAuthenticated' is equal to 'no'",
"remediation": "Where possible, remove get, list and watch access to Secret objects in the cluster.\n",
"scored": true,
"status": "FAIL",
"test_desc": "Minimize access to secrets (Automated)",
"test_info": [
"Where possible, remove get, list and watch access to Secret objects in the cluster.\n"
],
"test_number": "5.1.2",
"type": ""
},
{
"AuditConfig": "",
"AuditEnv": "",
"IsMultiple": false,
"actual_value": "E0822 05:42:17.070022 2913144 memcache.go:265] couldn't get current server API group list: Get \"http://localhost:8080/api?timeout=32s\": dial tcp [::1]:8080: connect: connection refused\nE0822 05:42:17.070388 2913144 memcache.go:265] couldn't get current server API group list: Get \"http://localhost:8080/api?timeout=32s\": dial tcp [::1]:8080: connect: connection refused\nWarning: the server doesn't have a resource type 'pods'\n\nThe connection to the server localhost:8080 was refused - did you specify the right host or port?\ncanCreatePodsAsSystemAuthenticated:",
"audit": "echo \"canCreatePodsAsSystemAuthenticated: $(kubectl auth can-i create pods --all-namespaces --as=system:authenticated)\"\n",
"expected_result": "'canCreatePodsAsSystemAuthenticated' is equal to 'no'",
"remediation": "Where possible, remove create access to pod objects in the cluster.\n",
"scored": true,
"status": "FAIL",
"test_desc": "Minimize access to create pods (Automated)",
"test_info": [
"Where possible, remove create access to pod objects in the cluster.\n"
],
"test_number": "5.1.4",
"type": ""
},
