[Bug]: Kubernetes RBAC errors

[s4mur4i]

Steps to Reproduce

On kubernetes running checks:

    Image:         public.ecr.aws/prowler-cloud/prowler:4.1.0
    Image ID:      public.ecr.aws/prowler-cloud/prowler@sha256:f1b590c7316bef07de90c6ef09762ea6342d1908d874c9f2f69f900aa375db89
    Command:
      prowler
      kubernetes
      --log-level
      ERROR
      --ignore-exit-code-3
      --output-directory
      k8s

And following output is produced:

2024-05-22 13:25:46,791 [File: rbac_service.py:130] 	[Module: rbac_service]	 ERROR: TypeError[118]: 'NoneType' object is not iterable
Something went wrong in rbac_minimize_csr_approval_access, please use --log-level ERROR

2024-05-22 13:25:46,868 [File: check.py:464] 	[Module: check]	 ERROR: rbac_minimize_csr_approval_access -- AttributeError[23]: 'list' object has no attribute 'values'
Something went wrong in rbac_minimize_node_proxy_subresource_access, please use --log-level ERROR

2024-05-22 13:25:46,870 [File: check.py:464] 	[Module: check]	 ERROR: rbac_minimize_node_proxy_subresource_access -- AttributeError[23]: 'list' object has no attribute 'values'
Something went wrong in rbac_minimize_pod_creation_access, please use --log-level ERROR

2024-05-22 13:25:46,873 [File: check.py:464] 	[Module: check]	 ERROR: rbac_minimize_pod_creation_access -- AttributeError[15]: 'list' object has no attribute 'values'
Something went wrong in rbac_minimize_pv_creation_access, please use --log-level ERROR

We are on log-level Error, and there is no details about the error

Expected behavior

Expected details about the error, or more information how to find the issue

Actual Result with Screenshots or Logs

                         _
 _ __  _ __ _____      _| | ___ _ __
| '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|
| |_) | | | (_) \ V  V /| |  __/ |
| .__/|_|  \___/ \_/\_/ |_|\___|_|v4.1.0
|_| the handy multi-cloud security tool

Date: 2024-05-22 13:25:36

-> Using the Kubernetes credentials below:
  · Kubernetes Pod: prowler
  · Namespace: cloud

-> Using the following configuration:
  · Config File: /home/prowler/.local/lib/python3.12/site-packages/prowler/config/config.yaml

Executing 83 checks, please wait...

2024-05-22 13:25:40,490 [File: core_service.py:103] 	[Module: core_service]	 ERROR: ValidationError[94]: 1 validation error for ConfigMap
data
  none is not an allowed value (type=type_error.none.not_allowed)
Something went wrong in core_minimize_net_raw_capability_admission, please use --log-level ERROR

2024-05-22 13:25:44,450 [File: check.py:464] 	[Module: check]	 ERROR: core_minimize_net_raw_capability_admission -- TypeError[19]: argument of type 'NoneType' is not iterable

2024-05-22 13:25:46,791 [File: rbac_service.py:130] 	[Module: rbac_service]	 ERROR: TypeError[118]: 'NoneType' object is not iterable
Something went wrong in rbac_minimize_csr_approval_access, please use --log-level ERROR

2024-05-22 13:25:46,868 [File: check.py:464] 	[Module: check]	 ERROR: rbac_minimize_csr_approval_access -- AttributeError[23]: 'list' object has no attribute 'values'
Something went wrong in rbac_minimize_node_proxy_subresource_access, please use --log-level ERROR

2024-05-22 13:25:46,870 [File: check.py:464] 	[Module: check]	 ERROR: rbac_minimize_node_proxy_subresource_access -- AttributeError[23]: 'list' object has no attribute 'values'
Something went wrong in rbac_minimize_pod_creation_access, please use --log-level ERROR

2024-05-22 13:25:46,873 [File: check.py:464] 	[Module: check]	 ERROR: rbac_minimize_pod_creation_access -- AttributeError[15]: 'list' object has no attribute 'values'
Something went wrong in rbac_minimize_pv_creation_access, please use --log-level ERROR

2024-05-22 13:25:46,875 [File: check.py:464] 	[Module: check]	 ERROR: rbac_minimize_pv_creation_access -- AttributeError[24]: 'list' object has no attribute 'values'
Something went wrong in rbac_minimize_secret_access, please use --log-level ERROR

2024-05-22 13:25:46,877 [File: check.py:464] 	[Module: check]	 ERROR: rbac_minimize_secret_access -- AttributeError[15]: 'list' object has no attribute 'values'
Something went wrong in rbac_minimize_service_account_token_creation, please use --log-level ERROR

2024-05-22 13:25:46,880 [File: check.py:464] 	[Module: check]	 ERROR: rbac_minimize_service_account_token_creation -- AttributeError[23]: 'list' object has no attribute 'values'
Something went wrong in rbac_minimize_webhook_config_access, please use --log-level ERROR

2024-05-22 13:25:46,882 [File: check.py:464] 	[Module: check]	 ERROR: rbac_minimize_webhook_config_access -- AttributeError[26]: 'list' object has no attribute 'values'
Something went wrong in rbac_minimize_wildcard_use_roles, please use --log-level ERROR

2024-05-22 13:25:46,884 [File: check.py:464] 	[Module: check]	 ERROR: rbac_minimize_wildcard_use_roles -- AttributeError[9]: 'list' object has no attribute 'values'
-> Scan completed! |▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉| 83/83 [100%] in 8.3s

Overview Results:
╭─────────────────────┬──────────────────────┬────────────────╮
│ 12.39% (406) Failed │ 85.72% (2810) Passed │ 0.0% (0) Muted │
╰─────────────────────┴──────────────────────┴────────────────╯

And the clusterrole as given in example:

Name:         prowler-k8s-clusterrole
Labels:       service_group=prowler
Annotations:  <none>
PolicyRule:
  Resources                                      Non-Resource URLs  Resource Names  Verbs
  ---------                                      -----------------  --------------  -----
  configmaps                                     []                 []              [get list watch]
  namespaces                                     []                 []              [get list watch]
  nodes                                          []                 []              [get list watch]
  pods                                           []                 []              [get list watch]
  clusterrolebindings.rbac.authorization.k8s.io  []                 []              [get list watch]
  clusterroles.rbac.authorization.k8s.io         []                 []              [get list watch]
  rolebindings.rbac.authorization.k8s.io         []                 []              [get list watch]
  roles.rbac.authorization.k8s.io                []                 []              [get list watch]

How did you install Prowler?

Docker (docker pull toniblyx/prowler)

Environment Resource

The cluster is an eks cluster in aws

OS used

it is docker image.

Prowler version

4.1.0

Pip version

this is docker.

Context

No response

[s4mur4i]

Also with debug log level, not much help:

2024-05-22 13:36:47,198 [File: check.py:456] 	[Module: check]	 DEBUG: Executing check: rbac_cluster_admin_usage

2024-05-22 13:36:47,202 [File: check.py:456] 	[Module: check]	 DEBUG: Executing check: rbac_minimize_csr_approval_access
Something went wrong in rbac_minimize_csr_approval_access, please use --log-level ERROR

2024-05-22 13:36:47,203 [File: check.py:464] 	[Module: check]	 ERROR: rbac_minimize_csr_approval_access -- AttributeError[23]: 'list' object has no attribute 'values'

2024-05-22 13:36:47,205 [File: check.py:456] 	[Module: check]	 DEBUG: Executing check: rbac_minimize_node_proxy_subresource_access
Something went wrong in rbac_minimize_node_proxy_subresource_access, please use --log-level ERROR

2024-05-22 13:36:47,205 [File: check.py:464] 	[Module: check]	 ERROR: rbac_minimize_node_proxy_subresource_access -- AttributeError[23]: 'list' object has no attribute 'values'
Something went wrong in rbac_minimize_pod_creation_access, please use --log-level ERROR

2024-05-22 13:36:47,248 [File: check.py:456] 	[Module: check]	 DEBUG: Executing check: rbac_minimize_pod_creation_access

2024-05-22 13:36:47,248 [File: check.py:464] 	[Module: check]	 ERROR: rbac_minimize_pod_creation_access -- AttributeError[15]: 'list' object has no attribute 'values'

2024-05-22 13:36:47,252 [File: check.py:456] 	[Module: check]	 DEBUG: Executing check: rbac_minimize_pv_creation_access
Something went wrong in rbac_minimize_pv_creation_access, please use --log-level ERROR

2024-05-22 13:36:47,252 [File: check.py:464] 	[Module: check]	 ERROR: rbac_minimize_pv_creation_access -- AttributeError[24]: 'list' object has no attribute 'values'
Something went wrong in rbac_minimize_secret_access, please use --log-level ERROR

2024-05-22 13:36:47,255 [File: check.py:456] 	[Module: check]	 DEBUG: Executing check: rbac_minimize_secret_access

2024-05-22 13:36:47,256 [File: check.py:464] 	[Module: check]	 ERROR: rbac_minimize_secret_access -- AttributeError[15]: 'list' object has no attribute 'values'

2024-05-22 13:36:47,259 [File: check.py:456] 	[Module: check]	 DEBUG: Executing check: rbac_minimize_service_account_token_creation
Something went wrong in rbac_minimize_service_account_token_creation, please use --log-level ERROR

2024-05-22 13:36:47,259 [File: check.py:464] 	[Module: check]	 ERROR: rbac_minimize_service_account_token_creation -- AttributeError[23]: 'list' object has no attribute 'values'

2024-05-22 13:36:47,262 [File: check.py:456] 	[Module: check]	 DEBUG: Executing check: rbac_minimize_webhook_config_access
Something went wrong in rbac_minimize_webhook_config_access, please use --log-level ERROR

2024-05-22 13:36:47,263 [File: check.py:464] 	[Module: check]	 ERROR: rbac_minimize_webhook_config_access -- AttributeError[26]: 'list' object has no attribute 'values'

2024-05-22 13:36:47,265 [File: check.py:456] 	[Module: check]	 DEBUG: Executing check: rbac_minimize_wildcard_use_roles
Something went wrong in rbac_minimize_wildcard_use_roles, please use --log-level ERROR

2024-05-22 13:36:47,265 [File: check.py:464] 	[Module: check]	 ERROR: rbac_minimize_wildcard_use_roles -- AttributeError[9]: 'list' object has no attribute 'values'

2024-05-22 13:36:47,268 [File: check.py:456] 	[Module: check]	 DEBUG: Executing check: scheduler_bind_address

2024-05-22 13:36:47,270 [File: check.py:456] 	[Module: check]	 DEBUG: Executing check: scheduler_profiling

[sergargar]

Hi @s4mur4i , thanks for reaching us out! We will fix these errors shortly and let you know when it is ready 🚀

[sergargar]

@s4mur4i the above PR has the fixes for those errors, could you try it out, please?

[s4mur4i]

We are currently using the public ECR repo. can you generate a testing tag there to try it?

[sergargar]

Sure @s4mur4i you can use the tag public.ecr.aws/prowler-cloud/prowler:latest, let me know if it works.

[s4mur4i]

@sergargar it looks better, but stll see one error:

2024-05-23 07:23:07,783 [File: check.py:463] 	[Module: check]	 ERROR: core_minimize_net_raw_capability_admission -- TypeError[16]: argument of type 'NoneType' is not iterable
-> Scan completed! |▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉| 83/83 [100%] in 9.6s

Overview Results:
╭─────────────────────┬──────────────────────┬────────────────╮
│ 11.98% (460) Failed │ 86.41% (3319) Passed │ 0.0% (0) Muted │

should i open separate ticket for that?

[jfagoagas]

@s4mur4i thanks for testing it, @sergargar will take a look at it later today.

Thanks for using Prowler 🙌

[s4mur4i]

@sergargar I am not sure the Pr fixed the issue:

                         _
 _ __  _ __ _____      _| | ___ _ __
| '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|
| |_) | | | (_) \ V  V /| |  __/ |
| .__/|_|  \___/ \_/\_/ |_|\___|_|v4.1.0
|_| the handy multi-cloud security tool

Date: 2024-05-23 15:03:45

-> Using the Kubernetes credentials below:
  · Kubernetes Pod: prowler
  · Namespace: cloud

-> Using the following configuration:
  · Config File: /home/prowler/.local/lib/python3.12/site-packages/prowler/config/config.yaml

Executing 83 checks, please wait...
Something went wrong in core_minimize_net_raw_capability_admission, please use --log-level ERROR

2024-05-23 15:03:54,158 [File: check.py:463] 	[Module: check]	 ERROR: core_minimize_net_raw_capability_admission -- TypeError[21]: argument of type 'NoneType' is not iterable
-> Scan completed! |▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉| 83/83 [100%] in 10.1s

Overview Results:
╭─────────────────────┬──────────────────────┬────────────────╮
│ 11.95% (462) Failed │ 86.44% (3341) Passed │ 0.0% (0) Muted │
╰─────────────────────┴──────────────────────┴────────────────╯

Context In-Cluster Scan Results (severity columns are for fails only):
╭────────────┬───────────┬────────────┬────────────┬────────┬──────────┬───────┬─────────╮
│ Provider   │ Service   │ Status     │   Critical │   High │   Medium │   Low │   Muted │
├────────────┼───────────┼────────────┼────────────┼────────┼──────────┼───────┼─────────┤
│ kubernetes │ core      │ FAIL (399) │          0 │    399 │        0 │     0 │       0 │
├────────────┼───────────┼────────────┼────────────┼────────┼──────────┼───────┼─────────┤
│ kubernetes │ kubelet   │ PASS (0)   │          0 │      0 │        0 │     0 │       0 │
├────────────┼───────────┼────────────┼────────────┼────────┼──────────┼───────┼─────────┤
│ kubernetes │ RBAC      │ FAIL (63)  │          0 │     63 │        0 │     0 │       0 │
╰────────────┴───────────┴────────────┴────────────┴────────┴──────────┴───────┴─────────╯
* You only see here those services that contains resources.

using latest image tag with image pull policy always

[sergargar]

Sorry @s4mur4i, you're right, I have created another PR solving the issue. I'll let you know when it is merged.

[sergargar]

@s4mur4i let me know if it works now, thanks again!