-
Notifications
You must be signed in to change notification settings - Fork 193
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AKS multiple False Positives #1970
Comments
Could this be related? Another error related to different OSes, but apparently it fails to do something with the k8s-cluster SBOM, is that a special one?
|
@chen-keinan This one is not yet completely solved, KVD-KCV-0091 still pops up:
|
@Pionerd can you please run the following command and let me know which value you get for
|
The only |
However, what may be interesting is this one:
|
you should have both: |
Apparantly AKS is complying with this control, but not in the way CIS scans expect it: |
IDs
AVD-KCV-0083, AVD-KCV-0088, AVD-KCV-0089, AVD-KCV-0090, AVD-KCV-0091, AVD-KCV-0092
Description
AVD-KCV-0083: verified that my AKS Kubelet does run with the flag --protect-kernel-defaults set to true
AVD-KCV-0088: --tls-cert-file is correctly set (/etc/kubernetes/certs/kubeletserver.crt)
AVD-KCV-0089: this one is a bit different, --tls-key-file is not set, but --tls-private-key-file is (/etc/kubernetes/certs/kubeletserver.key)
AVD-KCV-0090: --rotate-certificates is correctly set to true
AVD-KCV-0091: the mentioned config file (/etc/kubernetes/kubelet.conf) is not existing / used by AKS
AVD-KCV-0092: cipher suites are set (--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256)
Reproduction Steps
Target
Kubernetes
Scanner
Misconfiguration
Target OS
Ubuntu
Debug Output
Version
Checklist
-f json
that shows data sources and confirmed that the security advisory in data sources was correctThe text was updated successfully, but these errors were encountered: