Akraino Security Sub-Committee Meeting Agenda 01/25/2021

Attendees:

Randy Stricklin

Tina Tsou

Noha Youssef

Daniil Egranov


Agenda:


  1. Open forum to discuss CVE exception spreadsheet items with Blueprint owners.


  1. Kube-hunter K8s vulnerability fixes:


Hi Randy / Oleg / PCEI Blueprint members,


In EALT-Edge Blueprint, we are using Kubernetes 1.17.2.  But based on the logs of Kube-hunter pod.log, PCEI BP is using K8s 1.14.6.

Eventhough, we are using a different K8s version we had faced similar issues.  


We applied the below fixes to solve Kube-hunter related issues.  See if it helps.


kubectl get serviceaccount default -o yaml > ./serviceaccountdefault.yaml

sed '/^secrets:.*/i automountServiceAccountToken: false' serviceaccountdefault.yaml >> servicedefault.yaml

kubectl replace serviceaccount default -f ./servicedefault.yaml


kubectl replace -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "false"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: system:public-info-viewer
rules:
- nonResourceURLs:
  - /healthz
  - /livez
  - /readyz
  verbs:
  - get
EOF


Thanks,

Srinivasan


Hi Oleg,


FYI, a few fixes we have applied in KubeEdge have been documented here:

KubeEdge BP Test Documents - Akraino - Akraino Confluence


Thanks,

Hao



Hi Randy & Oleg,


In case it’s related, please find below the findings by Todd from Intel, he said the Kube-Hunter docker image was incorrectly requiring NET_RAW to discover clusters when running inside a pod. So this means if we disable CAP_NET_RAW, then no cluster could be discovered by using the old Kube-Hunter image.


Thanks,

Hao


Just to follow up on this in case you're interested: the kube-hunter folks just merged https://github.com/aquasecurity/kube-hunter/pull/416 (available in the aquasec/kube-hunter:edge image) that resolves the issue with CAP_NET_RAW being required to discover clusters when run inside a Pod.  With this image, the restricted PodSecurityPolicy and kube-hunter work well together.


Thanks again for the help,

-Todd



  • No labels