kube-bench icon indicating copy to clipboard operation
kube-bench copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

flag moving to configmap

Open spyroot opened this issue 11 months ago • 4 comments

Hi Folks,

I see more and more flag that CIS check either deprecated or moving to configmap. Are you planning to support for checks in ConfigMap vs flag from process ? I see many false positive where flag set in ConfigMap but not in args.

Thank you

spyroot avatar Nov 18 '24 12:11 spyroot

If I understood correctly your question, Trivy can scan ConfigMap in Kubernetes cluster. Does it help you?

afdesk avatar Nov 19 '24 09:11 afdesk

Yes, but I was asking about kube-bench, I think some cmd can be rewritten to get the exact same value from config map vs. args vs. ps. That will eliminate false positives. Unless, of course, kube-bench doesn't want to support new semantics.

spyroot avatar Nov 19 '24 18:11 spyroot

Yes, but I was asking about kube-bench, I think some cmd can be rewritten to get the exact same value from config map vs. args vs. ps. That will eliminate false positives. Unless, of course, kube-bench doesn't want to support new semantics.

It sounds interesting. Could you share some samples of cmd, which can be rewritten? thanks

afdesk avatar Nov 20 '24 04:11 afdesk

For example, if you don't have any other JSON parser. Usually, you can get away with jq and jt.

For example, get the data from the config-map, parse JSON via JQ extract clients file. As a follow-up, you can check file permissions since you already know a path.

You can get anything as a single line.

kubectl get configmap kubelet-config -n kube-system -o yaml or json | jq .data get the value for any given queue you need.

And in pod spec or job spec, you can pass path kubeconfig so job or pod has access to kubeconfig the same way as Sonobuoy

      - id: 4.2.3
        text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
        audit: |
          kubectl get configmap kubelet-config -n kube-system -o yaml | \
            python3 -c 'import sys, yaml, json; data = yaml.safe_load(sys.stdin); print(json.dumps(yaml.safe_load(data["data"]["kubelet"])))' | \
            jq -r ".authentication.x509.clientCAFile == \"/etc/kubernetes/pki/ca.crt\""
        audit_config: "/bin/cat $kubeletconf"
        tests:
          - test_items:
              - flag: clientCAFile
                path: '{.authentication.x509.clientCAFile}'
                value: /etc/kubernetes/pki/ca.crt
        remediation: |
          If using a Kubelet config file, edit the file to set authentication.x509.clientCAFile to
          the location of the client CA file.
          If using command line arguments, edit the kubelet service file
          $kubeletsvc on each worker node and
          set the below parameter in KUBELET_AUTHZ_ARGS variable.
          --client-ca-file=<path/to/client-ca-file>
          Based on your system, restart the kubelet service. For example,
          systemctl daemon-reload
          systemctl restart kubelet.service
        scored: true

spyroot avatar Nov 20 '24 05:11 spyroot