...
Additional Testing
Bottlenecks/Errata
Applied Fixes
Kube-Hunter
KHV002
https://aquasecurity.github.io/kube-hunter/kb/KHV002.html
Solution:
Change the default ClusterRole system:public-info-viewer
kubectl replace -f - <<EOF apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "false" labels: kubernetes.io/bootstrapping: rbac-defaults name: system:public-info-viewer rules: - nonResourceURLs: - /healthz - /livez - /readyz verbs: - get EOF
CAP_NET_RAW
Docker runtime enables Linux "NET_RAW" capability by default. Docker daemon does not have an option to disable "NET_RAW":
https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file
So we have to turn to K8s provided "PodSecurityPolicy" for help.
Solution:
Use PodSecurityPolicy
https://kubernetes.io/docs/concepts/policy/pod-security-policy/
High level steps:
- Create a PodSecurityPolicy to drop the Linux capability "NET_RAW".
- Create an RBAC role to allow use of the PodSecurityPolicy created in step 1.
- Bind the RBAC role to serviceaccount "default".
Exact PodSecurityPolicy Spec we are using:
spec:
allowPrivilegeEscalation: true
fsGroup:
rule: RunAsAny
hostIPC: true
hostNetwork: true
hostPID: true
hostPorts:
- max: 65535
min: 0
privileged: true
requiredDropCapabilities:
- NET_RAW
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- '*'
KHV050
https://aquasecurity.github.io/kube-hunter/kb/KHV050.html
Solution:
kubectl replace -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
namespace: default
automountServiceAccountToken: false
EOF
Bluval CI script
Code Block | ||||
---|---|---|---|---|
| ||||
set -euo pipefail
cwd=$(pwd)
results_dir=$cwd/results
sudo rm -fr $results_dir
sudo rm -f $cwd/results.zip
mkdir -p $results_dir
blueprint=kubeedgees
info () {
logger -s -t "run_bluval.info" "$*"
}
error () {
logger -s -t "run_bluval.error" "$*"
exit 1
}
cwd=$cwd/validation
cd $cwd
# update information in volumes yaml
sed -i \
-e "/ssh_key_dir/{n; s@local: ''@local: '$SSH_KEY_DIR'@}" \
-e "/kube_config_dir/{n; s@local: ''@local: '$K8S_CONFIG_DIR'@}" \
-e "/custom_variables_file/{n; s@local: ''@local: '$cwd/tests/variables.yaml'@}" \
-e "/blueprint_dir/{n; s@local: ''@local: '$cwd/bluval/'@}" \
-e "/results_dir/{n; s@local: ''@local: '$results_dir'@}" \
"$cwd/bluval/volumes.yaml"
sed -i \
-e "s/host: [0-9]*.[0-9]*.[0-9]*.[0-9]*/host: $CLUSTER_MASTER_IP/" \
-e "s/username: [A-Za-z0-9_]* /username: $SSH_USER/" \
-e "s/password: [A-Za-z0-9_]* /password: /" \
-e "s|ssh_keyfile: [A-Za-z0-9_]* |ssh_keyfile: /root/.ssh/id_rsa|" \
"$cwd/tests/variables.yaml"
cat >"$cwd/bluval/bluval-kubeedgees.yaml" <<EOF
blueprint:
name: kubeedgees
layers:
- os
- k8s
os: &os
-
name: lynis
what: lynis
optional: "False"
-
name: vuls
what: vuls
optional: "False"
k8s: &k8s
-
name: kube-hunter
what: kube-hunter
optional: "False"
EOF
$cwd/bluval/blucon.sh $blueprint
if [ $? -ne 0 ]; then
sudo chown -R $(id -u):$(id -g) "$results_dir"
error "blucon.sh exited with return code $?"
fi
sudo chown -R $(id -u):$(id -g) "$results_dir"
echo $BLUEPRINT_BUILD_VERSION
source ~/.lftools/bin/activate
NEXUS_PATH="${LAB_SILO}/$blueprint/$BLUEPRINT_BUILD_VERSION"
cd "$results_dir/.." && zip -r results.zip ./results
lftools deploy nexus-zip https://nexus.akraino.org/ logs "$NEXUS_PATH" results.zip |
HRDN-7220
Check if compilers like gcc, g++ is installed. If yes, remove them. For example on ubuntu:
sudo apt remove gcc g++