Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ForwardPort: v2.9] [BUG] Scan not running on worker nodes for k3s scan profiles and other test failures #259

Closed
vardhaman22 opened this issue Jan 16, 2024 · 1 comment
Closed

[ForwardPort: v2.9] [BUG] Scan not running on worker nodes for k3s scan profiles and other test failures #259

vardhaman22 opened this issue Jan 16, 2024 · 1 comment
Assignees
@vardhaman22
Labels
feature/charts-cis-benchmark team/infracloud team/security
Milestone
v2.9.0

Comments

@vardhaman22
Copy link
Contributor

forwardPort for: #254

Rancher Server Setup

  • Rancher version: v2.8-head (66007093a)
  • Installation option (Docker install/Helm Chart): Docker
    • If Helm Chart, Kubernetes Cluster and version (RKE1, RKE2, k3s, EKS, etc):
  • Proxy/Cert Details:

Information about the Cluster

  • Kubernetes version: v1.26.11+k3s1
  • Cluster Type (Local/Downstream): Downstream
    • If downstream, what type of cluster? (Custom/Imported or specify provider for Hosted/Infrastructure Provider): Infrastructure Provider, Amazon EC2

User Information

  • What is the role of the user logged in? (Admin/Cluster Owner/Cluster Member/Project Owner/Project Member/Custom): Admin
    • If custom, define the set of permissions:

Describe the bug

installed cis-benchmark chart 5.1.0-rc4 and ran scan on a k3s v1.26.11+k3s1 cluster with k3s-cis-1.8-permissive.
It was observed that the scans 4.x.x are only running on control plane and etcd nodes whereas those should be running on all the nodes. Which is the same case with rke1 and rke2 profiles.

To Reproduce

  1. provision a k3s v1.26.11+k3s1 cluster on amazon ec2.
  2. install cis-benchmark-chart 5.1.0-rc4 on the cluster.
  3. run scan with k3s-cis-1.8-permissive profile.

Result
Observe that the tests 4.x.x are only running on control plane and etcd nodes.

Expected Result

4.x.x tests should run on all the nodes.

Screenshots

Additional context

there are some other failures as well with the chart on k3s clusters.
On K3S hardened cluster
k3s-cis-1.8-permissive is failing:

Fail
4.1.9	Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive (Automated)
Fail
4.1.10	Ensure that the kubelet --config configuration file ownership is set to root:root (Automated)

where as same checks passed on 1.8-hardened profile:

Pass
4.1.9	Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive (Automated)
Pass
4.1.10	Ensure that the kubelet --config configuration file ownership is set to root:root (Automated)
@vardhaman22 vardhaman22 self-assigned this Jan 16, 2024
This was referenced Jan 16, 2024
Merged
Merged
@vardhaman22 vardhaman22 added this to the v2.9.0 milestone Jan 16, 2024
@chiukapoor chiukapoor mentioned this issue May 13, 2024
Merged
@vivek-shilimkar
Copy link
Member

Tested the CIS scan with k3s-cis-1.8-permissive profile on k3s cluster with chart v6.0.0-rc2. 4.1.9 and 4.1.10 scans are passing on cluster. Hence closing the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vardhaman22 vardhaman22

Labels
feature/charts-cis-benchmark team/infracloud team/security
Projects
None yet
Milestone
v2.9.0
Development

No branches or pull requests
2 participants
@vivek-shilimkar @vardhaman22