You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am trying to integrate AWS security Hub and EKS , and I've come across the following issue. Would you happen to have any suggestions on how to resolve it? Your assistance would be greatly appreciated. Thank you!
Here are the details regarding the error encountered.
failed to output to ASFF: finding publish failed: not found, ResolveEndpointV2
How did you run kube-bench?
[Please specify exactly how you ran kube-bench, including details of command parameters and/or job file that you used to run it]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kube-bench
# If using a dedicated IAM role for kube-bench, uncomment the annotations
# block below and replace the ROLE_ARN
annotations:
eks.amazonaws.com/role-arn: "arn:aws:iam::xxxxxx:role/kube-bench-xxx-scan-re"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: kube-bench-eks-config
data:
config.yaml: |
AWS_ACCOUNT: "xxxxx"
AWS_REGION: "us-east-1"
CLUSTER_ARN: "arn:aws:eks:us-east-1:xxxxx:cluster/xxx-xxx-stage"
---
apiVersion: batch/v1
kind: Job
metadata:
name: kube-bench
spec:
template:
spec:
hostPID: true
containers:
- name: kube-bench
# Push the image to your ECR and then refer to it here
image: docker.io/aquasec/kube-bench:latest
# image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
# TBD - RE
# image: xxxxx.dkr.ecr.us-east-1.amazonaws.com/aquasec/kube-bench:latest
command:
[
"kube-bench",
"run",
"--targets",
"node",
"--benchmark",
"eks-1.2.0",
"--asff",
]
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
readOnly: true
- name: etc-systemd
mountPath: /etc/systemd
readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
readOnly: true
- name: kube-bench-eks-config
mountPath: "/opt/kube-bench/cfg/eks-1.2.0/config.yaml"
subPath: config.yaml
readOnly: true
restartPolicy: Never
serviceAccountName: kube-bench
volumes:
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
- name: etc-systemd
hostPath:
path: "/etc/systemd"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"
- name: kube-bench-eks-config
configMap:
name: kube-bench-eks-config
items:
- key: config.yaml
path: config.yaml
What happened?
❯ k get po -n kube-bench
NAME READY STATUS RESTARTS AGE
kube-bench-g2lq2 0/1 Error 0 5m8s
kube-bench-m2tsw 0/1 Error 0 2m27s
❯ k describe po kube-bench-g2lq2 -n kube-bench
Name: kube-bench-g2lq2
Namespace: kube-bench
Priority: 0
Service Account: kube-bench
Node: ip-10-xx-xx-5.ec2.internal/10.xx.xx.x
Start Time: Sun, 07 Apr 2024 12:32:53 -0500
Labels: batch.kubernetes.io/controller-uid=bd049759-9938-47d2-b2ee-a02cc84cc1ea
batch.kubernetes.io/job-name=kube-bench
controller-uid=bd049759-9938-47d2-b2ee-a02cc84cc1ea
job-name=kube-bench
Annotations: <none>
Status: Failed
IP: 10.xx.xx.xxx
IPs:
IP: 10.xx.xx.xxx
Controlled By: Job/kube-bench
Containers:
kube-bench:
Container ID: containerd://6d32baa3761533f37aa5a1017c7ebed7edc447cfbbc0b0226eb4a1a967f3659d
Image: docker.io/aquasec/kube-bench:latest
Image ID: docker.io/aquasec/kube-bench@sha256:1f91942f94a79c8298b06a562c74c17d43fcddb9159d82174485f8358ff3832b
Port: <none>
Host Port: <none>
Command:
kube-bench
run
--targets
node
--benchmark
eks-1.2.0
--asff
State: Terminated
Reason: Error
Exit Code: 1
Started: Sun, 07 Apr 2024 12:32:53 -0500
Finished: Sun, 07 Apr 2024 12:32:54 -0500
Ready: False
Restart Count: 0
Environment:
NODE_NAME: (v1:spec.nodeName)
AWS_STS_REGIONAL_ENDPOINTS: regional
AWS_DEFAULT_REGION: us-east-1
AWS_REGION: us-east-1
AWS_ROLE_ARN: arn:aws:iam::xxxxx:role/kube-bench-cis-scan-re
AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
Mounts:
/etc/kubernetes from etc-kubernetes (ro)
/etc/systemd from etc-systemd (ro)
/opt/kube-bench/cfg/eks-1.2.0/config.yaml from kube-bench-eks-config (ro,path="config.yaml")
/var/lib/kubelet from var-lib-kubelet (ro)
/var/run/secrets/eks.amazonaws.com/serviceaccount from aws-iam-token (ro)
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-zlqb5 (ro)
Conditions:
Type Status
PodReadyToStartContainers False
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
aws-iam-token:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 86400
var-lib-kubelet:
Type: HostPath (bare host directory volume)
Path: /var/lib/kubelet
HostPathType:
etc-systemd:
Type: HostPath (bare host directory volume)
Path: /etc/systemd
HostPathType:
etc-kubernetes:
Type: HostPath (bare host directory volume)
Path: /etc/kubernetes
HostPathType:
kube-bench-eks-config:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: kube-bench-eks-config
Optional: false
kube-api-access-zlqb5:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 5m19s default-scheduler Successfully assigned kube-bench/kube-bench-g2lq2 to ip-xx-xx-xx-5.ec2.internal
Normal Pulling 5m19s kubelet Pulling image "docker.io/aquasec/kube-bench:latest"
Normal Pulled 5m19s kubelet Successfully pulled image "docker.io/aquasec/kube-bench:latest" in 125ms (125ms including waiting)
Normal Created 5m19s kubelet Created container kube-bench
Normal Started 5m19s kubelet Started container kube-bench
What did you expect to happen:
I'm expecting that the pods should run smoothly and push the results to AWS Security Hub without encountering these errors.
Environment
[What is your version of kube-bench? (run kube-bench version)]
latest -> v0.7.2
[What is your version of Kubernetes? (run kubectl version or oc version on OpenShift.)]
EKS 1.29
The text was updated successfully, but these errors were encountered:
Any update on this? I'm experiencing the same error with the same setup: failed to output to ASFF: finding publish failed: not found, ResolveEndpointV2
Overview
I am trying to integrate AWS security Hub and EKS , and I've come across the following issue. Would you happen to have any suggestions on how to resolve it? Your assistance would be greatly appreciated. Thank you!
Here are the details regarding the error encountered.
failed to output to ASFF: finding publish failed: not found, ResolveEndpointV2
How did you run kube-bench?
[Please specify exactly how you ran kube-bench, including details of command parameters and/or job file that you used to run it]
What happened?
What did you expect to happen:
I'm expecting that the pods should run smoothly and push the results to AWS Security Hub without encountering these errors.
Environment
[What is your version of kube-bench? (run
kube-bench version
)]latest -> v0.7.2
[What is your version of Kubernetes? (run
kubectl version
oroc version
on OpenShift.)]EKS 1.29
The text was updated successfully, but these errors were encountered: