Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
Introduction

...

There are 4 CVEs with CVSS score > 9.0. These require upstream kernel patches, and exceptions have been requested here:

Akraino CVE Vulnerability Exception Request

Kube-Hunter

Fixed 3 vulnerabilities:

...

An exception has been granted:

Akraino BluVal Exception Request

Reason:

  • Sonobuoy assumes the all nodes are within a Layer 2 network, which is the case for the standard Kubernetes environment.
  • KubeEdge solves a different problem where typically the edge nodes are behind corporate firewalls. And cloud node do not have direct access to the edge nodes due to security and permission restrictions.

...

Change the default ClusterRole system:public-info-viewer

kubectl replace -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "false"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: system:public-info-viewer
rules:
- nonResourceURLs:  # /version has
been removed   - /healthz
  - /livez
  - /readyz
  verbs:
  - get
EOF

CAP_NET_RAW

Docker runtime enables Linux "NET_RAW" capability by default. Docker daemon does not have an option to disable "NET_RAW":

https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file

So we have to turn to K8s provided "PodSecurityPolicy" for help.

Solution:

Use PodSecurityPolicy

https://kubernetes.io/docs/concepts/policy/pod-security-policy/

Steps:

...

High level steps:

  1. Create a PodSecurityPolicy to drop the Linux capability "NET_RAW".
  2. Create an RBAC role to allow use of the PodSecurityPolicy created in step 1.
  3. Bind the RBAC role to serviceaccount "default".

Exact PodSecurityPolicy Spec we are using:

spec:
  allowPrivilegeEscalation: true
  fsGroup:
    rule: RunAsAny
  hostIPC: true
  hostNetwork: true
  hostPID: true
  hostPorts:
  - max: 65535
    min: 0
  privileged: true
  requiredDropCapabilities:
  - NET_RAW
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - '*'

KHV050
https://aquasecurity.github.io/kube-hunter/kb/KHV050.html

Solution:

kubectl replace -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: default
  namespace: default
automountServiceAccountToken: false
EOF


Bluval CI script

Code Block
languagebash
titleBluval
set -euo pipefail
cwd=$(pwd)
results_dir=$cwd/results
sudo rm -fr $results_dir
sudo rm -f $cwd/results.zip
mkdir -p $results_dir

blueprint=kubeedgees

info ()  {
    logger -s -t "run_bluval.info" "$*"
}

error () {
    logger -s -t "run_bluval.error" "$*"
    exit 1
}

cwd=$cwd/validation
cd $cwd


# update information in volumes yaml
sed -i \
    -e "/ssh_key_dir/{n; s@local: ''@local: '$SSH_KEY_DIR'@}" \
    -e "/kube_config_dir/{n; s@local: ''@local: '$K8S_CONFIG_DIR'@}" \
    -e "/custom_variables_file/{n; s@local: ''@local: '$cwd/tests/variables.yaml'@}" \
    -e "/blueprint_dir/{n; s@local: ''@local: '$cwd/bluval/'@}" \
    -e "/results_dir/{n; s@local: ''@local: '$results_dir'@}" \
    "$cwd/bluval/volumes.yaml"
   
sed -i \
    -e "s/host: [0-9]*.[0-9]*.[0-9]*.[0-9]*/host: $CLUSTER_MASTER_IP/" \
    -e "s/username: [A-Za-z0-9_]* /username: $SSH_USER/" \
    -e "s/password: [A-Za-z0-9_]* /password: /" \
    -e "s|ssh_keyfile: [A-Za-z0-9_]* |ssh_keyfile: /root/.ssh/id_rsa|" \
    "$cwd/tests/variables.yaml"

cat >"$cwd/bluval/bluval-kubeedgees.yaml" <<EOF
blueprint:
    name: kubeedgees
    layers:
        - os
        - k8s

    os: &os
        -
            name: lynis
            what: lynis
            optional: "False"
        -
            name: vuls
            what: vuls
            optional: "False"

    k8s: &k8s
        -
            name: kube-hunter
            what: kube-hunter
            optional: "False"
EOF

$cwd/bluval/blucon.sh $blueprint

if [ $? -ne 0 ]; then
    sudo chown -R $(id -u):$(id -g) "$results_dir"
    error "blucon.sh exited with return code $?"
fi

sudo chown -R $(id -u):$(id -g) "$results_dir"

echo $BLUEPRINT_BUILD_VERSION

source ~/.lftools/bin/activate
NEXUS_PATH="${LAB_SILO}/$blueprint/$BLUEPRINT_BUILD_VERSION"
cd "$results_dir/.." && zip -r results.zip ./results
lftools deploy nexus-zip https://nexus.akraino.org/ logs "$NEXUS_PATH" results.zip

HRDN-7220

Check if compilers like gcc, g++ is installed. If yes, remove them. For example on ubuntu:

sudo apt remove gcc g++