Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AKS multiple False Positives #1970

Closed
2 tasks done
chen-keinan opened this issue Apr 2, 2024 · 9 comments · Fixed by #2017
Closed
2 tasks done

AKS multiple False Positives #1970

chen-keinan opened this issue Apr 2, 2024 · 9 comments · Fixed by #2017
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence. target/kubernetes Issues relating to kubernetes cluster scanning

Comments

@chen-keinan
Copy link
Collaborator

IDs

AVD-KCV-0083, AVD-KCV-0088, AVD-KCV-0089, AVD-KCV-0090, AVD-KCV-0091, AVD-KCV-0092

Description

AVD-KCV-0083: verified that my AKS Kubelet does run with the flag --protect-kernel-defaults set to true
AVD-KCV-0088: --tls-cert-file is correctly set (/etc/kubernetes/certs/kubeletserver.crt)
AVD-KCV-0089: this one is a bit different, --tls-key-file is not set, but --tls-private-key-file is (/etc/kubernetes/certs/kubeletserver.key)
AVD-KCV-0090: --rotate-certificates is correctly set to true
AVD-KCV-0091: the mentioned config file (/etc/kubernetes/kubelet.conf) is not existing / used by AKS
AVD-KCV-0092: cipher suites are set (--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256)

Reproduction Steps

1. Install Trivy Operator on AKS cluster
2. Observe `cis` `ClusterComplianceReport`.

Target

Kubernetes

Scanner

Misconfiguration

Target OS

Ubuntu

Debug Output

N/A

Version

trivy-operator:0.19.2

Checklist
@chen-keinan chen-keinan added kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence. target/kubernetes Issues relating to kubernetes cluster scanning labels Apr 2, 2024
@Pionerd Pionerd mentioned this issue Apr 2, 2024
Open
@Pionerd
Copy link

Pionerd commented Apr 3, 2024

Could this be related? Another error related to different OSes, but apparently it fails to do something with the k8s-cluster SBOM, is that a special one?

{"level":"error","ts":"2024-04-03T15:42:17Z","logger":"reconciler.scan job","msg":"Scan job container","job":"trivy-system/scan-vulnerabilityreport-6cccfb67dd","container":"k8s-cluster","status.reason":"E │
│ rror","status.message":"2024-04-03T15:42:13.871Z\t\u001b[31mFATAL\u001b[0m\tsbom scan error: scan error: scan failed: failed analysis: SBOM decode error: failed to decode: failed to decode components: mul │
│ tiple OS components are not supported\n","stacktrace":"github.com/aquasecurity/trivy-operator/pkg/vulnerabilityreport/controller.(*ScanJobController).completedContainers\n\t/home/runner/work/trivy-operato │
│ r/trivy-operator/pkg/vulnerabilityreport/controller/scanjob.go:353\ngithub.com/aquasecurity/trivy-operator/pkg/vulnerabilityreport/controller.(*ScanJobController).SetupWithManager.(*ScanJobController).rec │
│ oncileJobs.func1\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/vulnerabilityreport/controller/scanjob.go:80\nsigs.k8s.io/controller-runtime/pkg/reconcile.Func.Reconcile\n\t/home/runner/go/pkg/mod │
│ /sigs.k8s.io/controller-runtime@v0.17.2/pkg/reconcile/reconcile.go:113\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-run │
│ time@v0.17.2/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.1 │
│ 7.2/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.17.2/pk │
│ g/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.17.2/pkg/internal/c │
│ ontroller/controller.go:227"}

@chen-keinan
Copy link
Collaborator Author

@Pionerd its a bug with latest trivy versions here is the issue ref.
should be fixed soon.

@chen-keinan chen-keinan mentioned this issue Apr 17, 2024
Merged
3 tasks
@chen-keinan
Copy link
Collaborator Author

@Pionerd I have opened a separate issue #2016 2016 for sbom multi os problem

@chen-keinan chen-keinan mentioned this issue Apr 17, 2024
Merged
3 tasks
@Pionerd
Copy link

Pionerd commented May 6, 2024

@chen-keinan This one is not yet completely solved, KVD-KCV-0091 still pops up:

│     - checks:                                                                                                                                                                                                │
│       - checkID: ""                                                                                                                                                                                          │
│         severity: ""                                                                                                                                                                                         │
│         success: true                                                                                                                                                                                        │
│       description: Enable kubelet client certificate rotation                                                                                                                                                │
│       id: 4.2.11                                                                                                                                                                                             │
│       name: Ensure that the --rotate-certificates argument is not set to false                                                                                                                               │
│       severity: CRITICAL                                                                                                                                                                                     │
│     - checks:                                                                                                                                                                                                │
│       - category: Kubernetes Security Check                                                                                                                                                                  │
│         checkID: AVD-KCV-0091                                                                                                                                                                                │
│         description: Enable kubelet server certificate rotation.                                                                                                                                             │
│         messages:                                                                                                                                                                                            │
│         - Enable kubelet server certificate rotation.                                                                                                                                                        │
│         remediation: Edit the kubelet service file /etc/kubernetes/kubelet.conf and                                                                                                                          │
│           set --feature-gates=RotateKubeletServerCertificate=true                                                                                                                                            │
│         severity: HIGH                                                                                                                                                                                       │
│         success: false                                                                                                                                                                                       │
│         target: /node-aks-spot-21258674-vmss00000d                                                                                                                                                           │
│         title: Verify that the RotateKubeletServerCertificate argument is set to true

@chen-keinan
Copy link
Collaborator Author

chen-keinan commented May 6, 2024
edited
Loading

@Pionerd can you please run the following command and let me know which value you get for kubeletconfig.featureGates.RotateKubeletServerCertificate

kubectl get --raw "/api/v1/nodes/<node name>/proxy/configz"

@Pionerd
Copy link

Pionerd commented May 6, 2024
edited
Loading

The only featureGate I get is "featureGates":{"CSIMigrationAzureFile":true}

@Pionerd
Copy link

Pionerd commented May 6, 2024

However, what may be interesting is this one:

{
   "kubeletconfig":{
      "enableServer":true,
[...]
      "rotateCertificates":true, <--
[...]

@chen-keinan
Copy link
Collaborator Author

chen-keinan commented May 6, 2024
edited
Loading

However, what may be interesting is this one:

{
   "kubeletconfig":{
      "enableServer":true,
[...]
      "rotateCertificates":true, <--
[...]

you should have both:
1st: kubelet Rotate Kubelet Server Certificate Argument Set:kubeletconfig.featureGates.RotateKubeletServerCertificate
2nd: kubelet Rotate Certificates Argument Set: kubeletconfig.rotateCertificates

@Pionerd
Copy link

Pionerd commented May 7, 2024

Apparantly AKS is complying with this control, but not in the way CIS scans expect it:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence. target/kubernetes Issues relating to kubernetes cluster scanning
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: better handling for kubelet config chen-keinan/trivy-operator
2 participants
@chen-keinan @Pionerd