Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CIS-1.9 Kubernetes Policies Checks 5.1.2 and 5.1.4 returns an error connection refused #1670

Open
winkrs opened this issue Aug 23, 2024 · 3 comments
Open

CIS-1.9 Kubernetes Policies Checks 5.1.2 and 5.1.4 returns an error connection refused #1670

winkrs opened this issue Aug 23, 2024 · 3 comments

Comments

@winkrs
Copy link
Contributor

winkrs commented Aug 23, 2024

Overview

Got connection refused error from both the checks.

"actual_value": "E0822 05:42:06.618603 2911167 memcache.go:265] couldn't get current server API group list: Get \"http://localhost:8080/api?timeout=32s\": dial tcp [::1]:8080: connect: connection refused\nE0822 05:42:06.619054 2911167 memcache.go:265] couldn't get current server API group list: Get \"http://localhost:8080/api?timeout=32s\": dial tcp [::1]:8080: connect: connection refused\nWarning: the server doesn't have a resource type 'secrets'\n\nThe connection to the server localhost:8080 was refused - did you specify the right host or port?\ncanGetListWatchSecretsAsSystemAuthenticated:",

How did you run kube-bench?

I'm running kube-bench inside a pod using the job.yaml

What happened?

echo \"canGetListWatchSecretsAsSystemAuthenticated: $(kubectl auth can-i get,list,watch secrets --all-namespaces --as=system:authenticated)\"

echo \"canCreatePodsAsSystemAuthenticated: $(kubectl auth can-i create pods --all-namespaces --as=system:authenticated)\"

The above command runs successfully when ran outside the pod but failed when run inside a pod. Also, if it helps, if the flag --as=system:authenticated is not provided, the command run successfully.

What did you expect to happen:

The audit script to run successfully as it did when run outside the pod.

Environment

kube-bench: v0.8.0
k8s version: v1.27.15

Running processes

Below is the output from the pod.

{
              "AuditConfig": "",
              "AuditEnv": "",
              "IsMultiple": false,
              "actual_value": "E0822 05:42:06.618603 2911167 memcache.go:265] couldn't get current server API group list: Get \"http://localhost:8080/api?timeout=32s\": dial tcp [::1]:8080: connect: connection refused\nE0822 05:42:06.619054 2911167 memcache.go:265] couldn't get current server API group list: Get \"http://localhost:8080/api?timeout=32s\": dial tcp [::1]:8080: connect: connection refused\nWarning: the server doesn't have a resource type 'secrets'\n\nThe connection to the server localhost:8080 was refused - did you specify the right host or port?\ncanGetListWatchSecretsAsSystemAuthenticated:",
              "audit": "echo \"canGetListWatchSecretsAsSystemAuthenticated: $(kubectl auth can-i get,list,watch secrets --all-namespaces --as=system:authenticated)\"",
              "expected_result": "'canGetListWatchSecretsAsSystemAuthenticated' is equal to 'no'",
              "remediation": "Where possible, remove get, list and watch access to Secret objects in the cluster.\n",
              "scored": true,
              "status": "FAIL",
              "test_desc": "Minimize access to secrets (Automated)",
              "test_info": [
                "Where possible, remove get, list and watch access to Secret objects in the cluster.\n"
              ],
              "test_number": "5.1.2",
              "type": ""
},
{
              "AuditConfig": "",
              "AuditEnv": "",
              "IsMultiple": false,
              "actual_value": "E0822 05:42:17.070022 2913144 memcache.go:265] couldn't get current server API group list: Get \"http://localhost:8080/api?timeout=32s\": dial tcp [::1]:8080: connect: connection refused\nE0822 05:42:17.070388 2913144 memcache.go:265] couldn't get current server API group list: Get \"http://localhost:8080/api?timeout=32s\": dial tcp [::1]:8080: connect: connection refused\nWarning: the server doesn't have a resource type 'pods'\n\nThe connection to the server localhost:8080 was refused - did you specify the right host or port?\ncanCreatePodsAsSystemAuthenticated:",
              "audit": "echo \"canCreatePodsAsSystemAuthenticated: $(kubectl auth can-i create pods --all-namespaces --as=system:authenticated)\"\n",
              "expected_result": "'canCreatePodsAsSystemAuthenticated' is equal to 'no'",
              "remediation": "Where possible, remove create access to pod objects in the cluster.\n",
              "scored": true,
              "status": "FAIL",
              "test_desc": "Minimize access to create pods (Automated)",
              "test_info": [
                "Where possible, remove create access to pod objects in the cluster.\n"
              ],
              "test_number": "5.1.4",
              "type": ""
},
@andypitcher
Copy link
Contributor

@winkrs thanks for reporting this issue.

At a first glance this seems related to a permission issue when launching kubectl. Are the other checks running properly, such as 5.1.1 ?

@winkrs
Copy link
Contributor Author

winkrs commented Oct 22, 2024

@andypitcher yes, others as well as 5.1.1 are running fine.

@andypitcher
Copy link
Contributor

These issues seem to be related to an upstream bug/improvement: kubernetes/kubernetes#93474. Until this gets fixed, we should aim for a workaround to audit the same checks automatically, or turn them to manual.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andypitcher @winkrs