Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

flag moving to configmap #1732

Open
spyroot opened this issue Nov 18, 2024 · 4 comments
Open

flag moving to configmap #1732

spyroot opened this issue Nov 18, 2024 · 4 comments

Comments

@spyroot
Copy link

spyroot commented Nov 18, 2024

Hi Folks,

I see more and more flag that CIS check either deprecated or moving to configmap. Are you planning to support for checks in ConfigMap vs flag from process ? I see many false positive where flag set in ConfigMap but not in args.

Thank you
@afdesk
Copy link
Collaborator

afdesk commented Nov 19, 2024

If I understood correctly your question, Trivy can scan ConfigMap in Kubernetes cluster. Does it help you?

@spyroot
Copy link
Author

spyroot commented Nov 19, 2024

Yes, but I was asking about kube-bench, I think some cmd can be rewritten to get the exact same value from config map vs. args vs. ps. That will eliminate false positives. Unless, of course, kube-bench doesn't want to support new semantics.

@afdesk
Copy link
Collaborator

afdesk commented Nov 20, 2024

Yes, but I was asking about kube-bench, I think some cmd can be rewritten to get the exact same value from config map vs. args vs. ps. That will eliminate false positives. Unless, of course, kube-bench doesn't want to support new semantics.

It sounds interesting.
Could you share some samples of cmd, which can be rewritten?
thanks

@spyroot
Copy link
Author

spyroot commented Nov 20, 2024
edited by afdesk
Loading

For example, if you don't have any other JSON parser. Usually, you can get away with jq and jt.

For example, get the data from the config-map, parse JSON via JQ extract clients file. As a follow-up, you can check file permissions since you already know a path.

You can get anything as a single line.

kubectl get configmap kubelet-config -n kube-system -o yaml or json | jq .data get the value for any given queue you need.

And in pod spec or job spec, you can pass path kubeconfig so job or pod has access to kubeconfig the same way as Sonobuoy

      - id: 4.2.3
        text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
        audit: |
          kubectl get configmap kubelet-config -n kube-system -o yaml | \
            python3 -c 'import sys, yaml, json; data = yaml.safe_load(sys.stdin); print(json.dumps(yaml.safe_load(data["data"]["kubelet"])))' | \
            jq -r ".authentication.x509.clientCAFile == \"/etc/kubernetes/pki/ca.crt\""
        audit_config: "/bin/cat $kubeletconf"
        tests:
          - test_items:
              - flag: clientCAFile
                path: '{.authentication.x509.clientCAFile}'
                value: /etc/kubernetes/pki/ca.crt
        remediation: |
          If using a Kubelet config file, edit the file to set authentication.x509.clientCAFile to
          the location of the client CA file.
          If using command line arguments, edit the kubelet service file
          $kubeletsvc on each worker node and
          set the below parameter in KUBELET_AUTHZ_ARGS variable.
          --client-ca-file=<path/to/client-ca-file>
          Based on your system, restart the kubelet service. For example,
          systemctl daemon-reload
          systemctl restart kubelet.service
        scored: true

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@spyroot @afdesk