Docker CIS benchmarks analysis: Error connecting to docker daemon (does docker ps work?)

[za]

Hi,

I am trying the Docker CIS benchmark scenario: https://madhuakula.com/kubernetes-goat/docs/scenarios/scenario-5/docker-cis-benchmarks-in-kubernetes-containers/welcome

I am able to login to the daemonset pod, but somehow unable to run the Docker CIS shell script:

~/docker-bench-security # sh docker-bench-security.sh
Error connecting to docker daemon (does docker ps work?)

~/docker-bench-security # docker ps
Get http://%2Fvar%2Frun%2Fdocker.sock/v1.40/containers/json: net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x00\x00\x06\x04\x00\x00\x00\x00\x00\x00\x05\x00\x00@\x00".
* Are you trying to connect to a TLS-enabled daemon without TLS?

➜  ~ kubectl get daemonsets
NAME                    DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE
docker-bench-security   2         2         2       2            2           <none>          11m

[za]

Hi @madhuakula once you have time, can you check on this? Thanks.

[za]

Hmm... CMIIW, this only works if we don't deploy into a managed-kubernetes service such as: AKS, EKS and/or GKE.

Note: Maybe we should improve the docs.

[madhuakula]

It's due to the container runtime, as the default runtime and socket is not available. Will try to push https://github.com/nokia/containerd-bench-security with both hacker-container and also the benchmarking. So we can update documentation.

[za]

Hi @madhuakula do you have any update on this?