kube-bench
kube-bench copied to clipboard
cfg/cis-1.6's 4.2.1 get a false negative result
Overview
if kubelet run only with cmd parameter --anonymous-auth=false
and cannot find configuration file in server, cis-1.6-4.2.1 rule will get a false negative result
How did you run kube-bench?
kube-bench run --benchmark=cis-1.6 --targets node --check=4.2.1
What happened?
/root/kube-bench-main/executables-rzdMAHOz82/___224_worker run --benchmark=cis-1.6 --targets node --check=4.2.1 -v=3
....
I0811 17:31:40.822903 34122 check.go:110] ----- Running check 4.2.1 -----
I0811 17:31:40.882694 34122 check.go:299] Command: "/bin/ps -fC kubelet"
I0811 17:31:40.882733 34122 check.go:300] Output:
"UID PID PPID C STIME TTY TIME CMD\nroot 48387 48366 19 Aug06 ? 1-02:13:21 kubelet --anonymous-auth=false --network-plugin=cni --registry-burst=10 ....
I0811 17:31:40.886387 34122 check.go:180] failed to run: "/bin/cat /var/lib/kubelet/config.yaml", output: "/bin/cat: /var/lib/kubelet/config.yaml: No such file or directory\n", error: exit status 1
I0811 17:31:40.886411 34122 check.go:186] Command: "/bin/cat /var/lib/kubelet/config.yaml" TestResult: <<EMPTY>>
I0811 17:31:40.886424 34122 check.go:190] failed to run: "/bin/cat /var/lib/kubelet/config.yaml", output: "/bin/cat: /var/lib/kubelet/config.yaml: No such file or directory\n", error: exit status 1
[INFO] 4 Worker Node Security Configuration
[INFO] 4.2 Kubelet
[FAIL] 4.2.1 Ensure that the anonymous-auth argument is set to false (Automated)
What did you expect to happen: [PASS] 4.2.1 Ensure that the anonymous-auth argument is set to false (Automated)
Environment
[What is your version of kube-bench? (run kube-bench version
)]
build from the latest source code
Reason
https://github.com/aquasecurity/kube-bench/blob/main/check/check.go#L195-L212
if it cannot find configuration file, err
will not be nil
, so let the false negative result
c.AuditConfigOutput, err = runAudit(c.AuditConfig)
Any advice for this issue? Thanks ~
Thanks for reporting. I'll check it later.
Thanks
@TARI0510 @mozillazg Did you find the solution for this issue? I am also facing the issue of "kube-bench cannot find configuration files in server".
Ref: https://github.com/aquasecurity/kube-bench/issues/1256
Please provide your input.
Thanks