Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CIS 1.9 Kubernetes Policies Checks 5.1.5 returns an error when run inside a pod #1656

Closed
winkrs opened this issue Aug 5, 2024 · 1 comment
Closed

CIS 1.9 Kubernetes Policies Checks 5.1.5 returns an error when run inside a pod #1656

winkrs opened this issue Aug 5, 2024 · 1 comment

Comments

@winkrs
Copy link
Contributor

winkrs commented Aug 5, 2024

Overview

      - id: 5.1.5
        text: "Ensure that default service accounts are not actively used. (Automated)"
        audit: |
          kubectl get serviceaccount --all-namespaces --field-selector metadata.name=default -o=json | jq -r '.items[] | " namespace: \(.metadata.namespace), kind: \(.kind), name: \(.metadata.name), automountServiceAccountToken: \(.automountServiceAccountToken | if . == null then "notset" else . end )"' | xargs -L 1
        use_multiple_values: true
        tests:
          test_items:
            - flag: "automountServiceAccountToken"
              compare:
                op: eq
                value: false
              set: true
        remediation: |
          Create explicit service accounts wherever a Kubernetes workload requires specific access
          to the Kubernetes API server.
          Modify the configuration of each default service account to include this value
          `automountServiceAccountToken: false`.
        scored: true

The audit script failed to run as the version of xargs contain unrecognizing option L.

How did you run kube-bench?

I'm running kube-bench inside a pod using the job.yaml.

command used: kube-bench --json --check=5.1.5

What happened?

The audit script return error with the following reason:

failed to run: "kubectl get serviceaccount --all-namespaces --field-selector metadata.name=default -o=json | jq -r '.items[] | \" namespace: \\(.metadata.namespace), kind: \\(.kind), name: \\(.metadata.name), automountServiceAccountToken: \\(.automountServiceAccountToken | if . == null then \"notset\" else . end )\"' | xargs -L 1", output: "xargs: unrecognized option: L
BusyBox v1.36.1 (2024-06-10 07:11:47 UTC) multi-call binary.

Usage: xargs [OPTIONS] [PROG ARGS]

Run PROG on every item given by stdin

	-0	NUL terminated input
	-a FILE	Read from FILE instead of stdin
	-o	Reopen stdin as /dev/tty
	-r	Don't run command if input is empty
	-t	Print the command on stderr before execution
	-p	Ask user whether to run each command
	-E STR,-e[STR]	STR stops input processing
	-I STR	Replace STR within PROG ARGS with input line
	-n N	Pass no more than N args to PROG
	-s N	Pass command line of no more than N bytes
	-P N	Run up to N PROGs in parallel
	-x	Exit if size is exceeded
", error: exit status 1

Here is log from the pod in json format.

{
    "Controls": [
        {
            "id": "4",
            "version": "cis-1.9",
            "detected_version": "1.27",
            "text": "Worker Node Security Configuration",
            "node_type": "node",
            "tests": null,
            "total_pass": 0,
            "total_fail": 0,
            "total_warn": 0,
            "total_info": 0
        },
        {
            "id": "5",
            "version": "cis-1.9",
            "detected_version": "1.27",
            "text": "Kubernetes Policies",
            "node_type": "policies",
            "tests": [
                {
                    "section": "5.1",
                    "type": "",
                    "pass": 0,
                    "fail": 1,
                    "warn": 0,
                    "info": 0,
                    "desc": "RBAC and Service Accounts",
                    "results": [
                        {
                            "test_number": "5.1.5",
                            "test_desc": "Ensure that default service accounts are not actively used. (Automated)",
                            "audit": "kubectl get serviceaccount --all-namespaces --field-selector metadata.name=default -o=json | jq -r '.items[] | \" namespace: \\(.metadata.namespace), kind: \\(.kind), name: \\(.metadata.name), automountServiceAccountToken: \\(.automountServiceAccountToken | if . == null then \"notset\" else . end )\"' | xargs -L 1\n",
                            "AuditEnv": "",
                            "AuditConfig": "",
                            "type": "",
                            "remediation": "Create explicit service accounts wherever a Kubernetes workload requires specific access\nto the Kubernetes API server.\nModify the configuration of each default service account to include this value\n`automountServiceAccountToken: false`.\n",
                            "test_info": [
                                "Create explicit service accounts wherever a Kubernetes workload requires specific access\nto the Kubernetes API server.\nModify the configuration of each default service account to include this value\n`automountServiceAccountToken: false`.\n"
                            ],
                            "status": "FAIL",
                            "actual_value": "",
                            "scored": true,
                            "IsMultiple": true,
                            "expected_result": "",
                            "reason": "failed to run: \"kubectl get serviceaccount --all-namespaces --field-selector metadata.name=default -o=json | jq -r '.items[] | \\\" namespace: \\\\(.metadata.namespace), kind: \\\\(.kind), name: \\\\(.metadata.name), automountServiceAccountToken: \\\\(.automountServiceAccountToken | if . == null then \\\"notset\\\" else . end )\\\"' | xargs -L 1\", output: \"xargs: unrecognized option: L\nBusyBox v1.36.1 (2024-06-10 07:11:47 UTC) multi-call binary.\n\nUsage: xargs [OPTIONS] [PROG ARGS]\n\nRun PROG on every item given by stdin\n\n\t-0\tNUL terminated input\n\t-a FILE\tRead from FILE instead of stdin\n\t-o\tReopen stdin as /dev/tty\n\t-r\tDon't run command if input is empty\n\t-t\tPrint the command on stderr before execution\n\t-p\tAsk user whether to run each command\n\t-E STR,-e[STR]\tSTR stops input processing\n\t-I STR\tReplace STR within PROG ARGS with input line\n\t-n N\tPass no more than N args to PROG\n\t-s N\tPass command line of no more than N bytes\n\t-P N\tRun up to N PROGs in parallel\n\t-x\tExit if size is exceeded\n\", error: exit status 1"
                        }
                    ]
                }
            ],
            "total_pass": 0,
            "total_fail": 1,
            "total_warn": 0,
            "total_info": 0
        }
    ],
    "Totals": {
        "total_pass": 0,
        "total_fail": 1,
        "total_warn": 0,
        "total_info": 0
    }
}

What did you expect to happen:

The audit script to run successfully as it did when run outside the pod.

Environment

kube-bench version: v1.8.0
kubectl version: v1.27.15

Fix:

Need to update Dockerfile line 24 to add package findutils as shown below. This ensures that the GNU version of xargs is available inside the pod,

RUN apk --no-cache add procps findutils
@winkrs winkrs mentioned this issue Aug 5, 2024
Merged
@afdesk
Copy link
Collaborator

afdesk commented Oct 1, 2024

in favor #1657

@afdesk afdesk closed this as completed Oct 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@afdesk @winkrs