Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kube-bench checks are failing in case of the expected value and actual value is empty string. #1515

Open
arjunkhunti-crest opened this issue Oct 30, 2023 · 3 comments
Open

kube-bench checks are failing in case of the expected value and actual value is empty string. #1515

arjunkhunti-crest opened this issue Oct 30, 2023 · 3 comments

Comments

@arjunkhunti-crest
Copy link

arjunkhunti-crest commented Oct 30, 2023
edited

Overview
Kube-bench checks are failing when the flagVal and compareValue are empty strings and flagName is given.

  • Expected Outcome
{label: “empty - val”, op: “eq”, flagVal: “”, compareValue: “”, expectedResultPattern: “‘flagName’ is equal to ‘’“, testResult: true, flagName: “flagName”}
  • Actual Outcome
{label: "empty - val", op: "eq", flagVal: "", compareValue: "", expectedResultPattern: "'flagName' is equal to ''", testResult: false, flagName: "flagName"}

How did you run kube-bench?

kube-bench run --benchmark eks-1.2.0

What happened?
The check should pass when flagVal and compareValue are the same (including empty) and flagName is not empty. However, it is failing with the given parameters. Here’s the reference test for the same:

Test Details

- id: 4.2.14
        text: "Check empty string"
        audit: curl http://127.0.0.1:8000/check?name=ncm:disabled_integrity_monitoring
        tests:
          test_items:
            - flag: disabledIntegrityMonitoring 
              compare:
                op: eq 
                value: ""
              set: true
        remediation: |
         nothing
        scored: true

Golang Function

func myFun(ctx context.Context, clientset *kubernetes.Clientset, logger *zap.Logger) (string, error) {
    disabledIntegrityMonitoringNodepools, err := getNodePoolsWithoutIntegrityMonitoring(ctx, clientset, logger)
    if err != nil{
        return "", err
    }
    sort.Strings(disabledIntegrityMonitoringNodepools)

    return fmt.Sprintf("disabledIntegrityMonitoring: %s", ""), nil
}

Given the parameters provided:

flagName = "disabledIntegrityMonitoring"
flagVal = ""
compareVal = ""
op = "eq"

The intention was to compare flagVal and compareVal ("" == ""). However, there was an internal assignment of flagName to compareVal, resulting in a comparison of "" == "disabledIntegrityMonitoring". This unexpected behavior led to a test failure and incorrect outcomes.

What did you expect to happen?
The check should pass when flagVal and compareValue are the same (including empty) and flagName is not empty.

Environment

  • Kube-bench: v0.6.19
  • Client Version: v1.21.3
  • Server Version: v1.24.14-gke.2700
@chen-keinan
Copy link
Collaborator

@arjunkhunti-crest Please raise a PR with suggested solution

@chen-keinan chen-keinan mentioned this issue Oct 31, 2023
Closed
@arjunkhunti-crest
Copy link
Author

@chen-keinan, I have raised a PR with a suggested solution. Please find the relevant reference below

@arjunkhunti-crest
Copy link
Author

The tentative solution for this issue is to add a new operator that could compare empty values.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Added empty actual value and expected value and non-empty flagName test arjunkhunti-crest/kube-bench
2 participants
@chen-keinan @arjunkhunti-crest