kube-bench icon indicating copy to clipboard operation
kube-bench copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

File permission checks fail when files don't exist

Open rothgar opened this issue 5 months ago • 0 comments

Overview

When running on nodes that don't have checked files (e.g. /etc/kubernetes/scheduler.conf) the check says the permissions fail even though the file doesn't exst.

How did you run kube-bench?

Via the provided job.yaml file with slight modifications to mount points because the host didn't have all requested folders and the filesystem is read only.

What happened?

running the job showed multiple failures for file permissions for files that don't exist on the system.

What did you expect to happen:

tests would not be marked as FAIL because a file that doesn't exist is more secure than a file with the correct permissions.

Environment

v0.10.6

Client Version: v1.33.1 Kustomize Version: v5.6.0 Server Version: v1.32.3

Running processes

 3087 root      0:31 /bin/containerd-shim-runc-v2 -namespace system -id kubelet -address /run/containerd/containerd.sock
 3110 root      1h34 /usr/local/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubeconfig --cert-dir=/var/lib/kubelet/pki --config=/etc/kubernetes/kubelet.yaml --hostname-override=talos-1gp-p5w --kubeconfig=/etc/kubernetes/kubeconfig-kubelet --node-ip=192.168.7.205
 3424 nobody    2h39 /usr/local/bin/kube-apiserver --admission-control-config-file=/system/config/kubernetes/kube-apiserver/admission-control-config.yaml --advertise-address=192.168.7.205 --allow-privileged=true --anonymous-auth=false --api-audiences=https://[fdae:41e4:649b:9303::1]:10000 --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/log/audit/kube/kube-apiserver.log --audit-policy-file=/system/config/kubernetes/kube-apiserver/auditpolicy.yaml --authorization-config=/system/config/kubernetes/kube-apiserver/authorization-config.yaml --bind-address=0.0.0.0 --client-ca-file=/system/secrets/kubernetes/kube-apiserver/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --encryption-provider-config=/system/secrets/kubernetes/kube-apiserver/encryptionconfig.yaml --etcd-cafile=/system/secrets/kubernetes/kube-apiserver/etcd-client-ca.crt --etcd-certfile=/system/secrets/kubernetes/kube-apiserver/etcd-client.crt --etcd-keyfile=/system/secrets/kubernetes/kube-apiserver/etcd-client.key --etcd-servers=https://localhost:2379 --kubelet-client-certificate=/system/secrets/kubernetes/kube-apiserver/apiserver-kubelet-client.crt --kubelet-client-key=/system/secrets/kubernetes/kube-apiserver/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/system/secrets/kubernetes/kube-apiserver/front-proxy-client.crt --proxy-client-key-file=/system/secrets/kubernetes/kube-apiserver/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/system/secrets/kubernetes/kube-apiserver/aggregator-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6443 --service-account-issuer=https://[fdae:41e4:649b:9303::1]:10000 --service-account-key-file=/system/secrets/kubernetes/kube-apiserver/service-account.pub --service-account-signing-key-fi
 3734 65536    18:40 /usr/local/bin/kube-scheduler --authentication-kubeconfig=/system/secrets/kubernetes/kube-scheduler/kubeconfig --authentication-tolerate-lookup-failure=false --authorization-kubeconfig=/system/secrets/kubernetes/kube-scheduler/kubeconfig --bind-address=127.0.0.1 --config=/system/config/kubernetes/kube-scheduler/scheduler-config.yaml --leader-elect=true --profiling=false --tls-min-version=VersionTLS13
 3778 65535     1h12 /usr/local/bin/kube-controller-manager --use-service-account-credentials --allocate-node-cidrs=true --authentication-kubeconfig=/system/secrets/kubernetes/kube-controller-manager/kubeconfig --authorization-kubeconfig=/system/secrets/kubernetes/kube-controller-manager/kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.244.0.0/16 --cluster-signing-cert-file=/system/secrets/kubernetes/kube-controller-manager/ca.crt --cluster-signing-key-file=/system/secrets/kubernetes/kube-controller-manager/ca.key --configure-cloud-routes=false --controllers=*,tokencleaner --kubeconfig=/system/secrets/kubernetes/kube-controller-manager/kubeconfig --leader-elect=true --profiling=false --root-ca-file=/system/secrets/kubernetes/kube-controller-manager/ca.crt --service-account-private-key-file=/system/secrets/kubernetes/kube-controller-manager/service-account.key --service-cluster-ip-range=10.96.0.0/12 --tls-min-version=VersionTLS13
 3911 root      0:57 /usr/local/bin/kube-proxy --cluster-cidr=10.244.0.0/16 --conntrack-max-per-core=0 --hostname-override=talos-1gp-p5w --kubeconfig=/etc/kubernetes/kubeconfig --proxy-mode=nftables
 4255 root      8:59 /opt/bin/flanneld --ip-masq --kube-subnet-mgr
217091 root      0:00 grep kube

Configuration files

[If kube-bench is reporting an issue related to the settings defined in a config file, please attach the file, or include an extract showing the settings that are being detected incorrectly.]

Anything else you would like to add:

Here's the output log with -v 3

results-3.txt

rothgar avatar Jun 02 '25 23:06 rothgar