kube-bench
kube-bench copied to clipboard
aquasecurity
kube-bench 1.1.13 'stat' command has errors dealing with escape character.
Overview
[A clear and concise description of what the bug is]
How did you run kube-bench?
I modified the permissions of admin.conf and super_admin.conf on all Kubernetes control nodes to 600 as required by kube-bench 1.1.13, but the check still failed. When I ran it again with -v 5, I discovered that there was an error in parsing %n with stat.
The log content is below.
[Please specify exactly how you ran kube-bench, including details of command parameters and/or job file that you used to run it] ./kube-bench --config-dir /root/cks/kube-bench/cfg/ run master --check 1.1.13 -v 5
[Please include output from the report to illustrate the problem. If possible please supply logs generated with the -v 3 parameter.]
I1009 18:50:22.961379 47649 check.go:180] failed to run: "for adminconf in /etc/kubernetes/{admin.conf,super-admin.conf}; do if test -e $adminconf; then stat -c \\\"permissions=%a %n\\\" $adminconf; fi; done", output: "stat: cannot statx '%n\"': No such file or directory\n\"permissions=600\nstat: cannot statx '%n\"': No such file or directory\n\"permissions=600\n", error: exit status 1
I1009 18:50:22.961412 47649 check.go:186] Command: "for adminconf in /etc/kubernetes/{admin.conf,super-admin.conf}; do if test -e $adminconf; then stat -c \\\"permissions=%a %n\\\" $adminconf; fi; done\n" TestResult: <<EMPTY>>
I1009 18:50:22.961444 47649 check.go:190] failed to run: "for adminconf in /etc/kubernetes/{admin.conf,super-admin.conf}; do if test -e $adminconf; then stat -c \\\"permissions=%a %n\\\" $adminconf; fi; done", output: "stat: cannot statx '%n\"': No such file or directory\n\"permissions=600\nstat: cannot statx '%n\"': No such file or directory\n\"permissions=600\n", error: exit status 1
What did you expect to happen: 1.1.13 check should pass after I modified the permissions of admin.conf and super_admin.conf on all Kubernetes control nodes.
[Please describe what you expected to happen differently.] The 1.1.13 Check still failed.
Environment Rocky Linux release 9.4 (Blue Onyx)
[What is your version of kube-bench? (run kube-bench version)]
0.8.0
[What is your version of Kubernetes? (run kubectl version or oc version on OpenShift.)]
Client Version: v1.31.1
Kustomize Version: v5.4.2
Server Version: v1.31.0
Running processes
[Please include the output from running ps -eaf | grep kube on the affected node. This will allow us to check what Kubernetes processes are running, and how this compares to what kube-bench detected.]
This may not be the main reason, but you can still check it.
ps -eaf | grep kube
root 759 1 1 18:13 ? 00:00:43 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --container-runtime-endpoint=unix:///var/run/containerd/containerd.sock --hostname-override=k8s-master-1 --pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.10
root 1655 1318 0 18:13 ? 00:00:04 kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf --bind-address=127.0.0.1 --client-ca-file=/etc/kubernetes/pki/ca.crt --cluster-cidr=10.244.0.0/16 --cluster-name=kubernetes --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt --cluster-signing-key-file=/etc/kubernetes/pki/ca.key --controllers=*,bootstrapsigner,tokencleaner --kubeconfig=/etc/kubernetes/controller-manager.conf --leader-elect=true --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --root-ca-file=/etc/kubernetes/pki/ca.crt --service-account-private-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/12 --use-service-account-credentials=true
root 1710 1307 0 18:13 ? 00:00:05 kube-scheduler --authentication-kubeconfig=/etc/kubernetes/scheduler.conf --authorization-kubeconfig=/etc/kubernetes/scheduler.conf --bind-address=127.0.0.1 --kubeconfig=/etc/kubernetes/scheduler.conf --leader-elect=true
root 1713 1298 1 18:13 ? 00:01:17 etcd --advertise-client-urls=https://192.168.153.121:2379 --cert-file=/etc/kubernetes/pki/etcd/server.crt --client-cert-auth=true --data-dir=/var/lib/etcd --experimental-initial-corrupt-check=true --experimental-watch-progress-notify-interval=5s --initial-advertise-peer-urls=https://192.168.153.121:2380 --initial-cluster=k8s-master-1=https://192.168.153.121:2380 --key-file=/etc/kubernetes/pki/etcd/server.key --listen-client-urls=https://127.0.0.1:2379,https://192.168.153.121:2379 --listen-metrics-urls=http://127.0.0.1:2381 --listen-peer-urls=https://192.168.153.121:2380 --name=k8s-master-1 --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt --peer-client-cert-auth=true --peer-key-file=/etc/kubernetes/pki/etcd/peer.key --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt --snapshot-count=10000 --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
root 1829 1334 1 18:14 ? 00:01:08 kube-apiserver --advertise-address=192.168.153.121 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/12 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
root 2368 1995 0 18:14 ? 00:00:00 /usr/local/bin/kube-proxy --config=/var/lib/kube-proxy/config.conf --hostname-override=k8s-master-1
root 2706 1966 0 18:14 ? 00:00:03 /opt/bin/flanneld --ip-masq --kube-subnet-mgr
root 64892 1865 0 19:18 pts/0 00:00:00 grep --color=auto kube
Configuration files default file, I didn't change any content.
[If kube-bench is reporting an issue related to the settings defined in a config file, please attach the file, or include an extract showing the settings that are being detected incorrectly.]
Anything else you would like to add:
It seems there was an error executing the stat command. I tried it on my local machine and encountered issues when stat dealt with escape characters:
stat -c "permissions=%a %n" admin.conf
permissions=600 admin.conf
[root@k8s-master-1 kubernetes]# stat -c \"permissions=%a %n\" admin.conf
stat: cannot statx '%n"': No such file or directory
"permissions=600
[Miscellaneous information that will assist in solving the issue.]
@J0nathan1ei Thanks for reporting. This issue was fixed via https://github.com/aquasecurity/kube-bench/pull/1649. Please try again with the latest version: https://github.com/aquasecurity/kube-bench/releases/tag/v0.9.0
