Table of Contents
Introduction
...
There are 4 CVEs with CVSS score > 9.0. These require upstream kernel patches, and exceptions have been requested here:
Akraino CVE Vulnerability Exception Request
Kube-Hunter
Fixed 3 vulnerabilities:
...
An exception has been granted:
Akraino BluVal Exception Request
Reason:
- Sonobuoy assumes the all nodes are within a Layer 2 network, which is the case for the standard Kubernetes environment.
- KubeEdge solves a different problem where typically the edge nodes are behind corporate firewalls. And cloud node do not have direct access to the edge nodes due to security and permission restrictions.
...
Change the default ClusterRole system:public-info-viewer
kubectl replace -f - <<EOF apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "false" labels: kubernetes.io/bootstrapping: rbac-defaults name: system:public-info-viewer rules: - nonResourceURLs: # /version has been removed - /healthz - /livez - /readyz verbs: - get EOF
CAP_NET_RAW
Docker runtime enables Linux "NET_RAW" capability by default. Docker daemon does not have an option to disable "NET_RAW":
https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file
So we have to turn to K8s provided "PodSecurityPolicy" for help.
Solution:
Use PodSecurityPolicy
https://kubernetes.io/docs/concepts/policy/pod-security-policy/
Steps:
...
High level steps:
- Create a PodSecurityPolicy to drop the Linux capability "NET_RAW".
- Create an RBAC role to allow use of the PodSecurityPolicy created in step 1.
- Bind the RBAC role to serviceaccount "default".
Exact PodSecurityPolicy Spec we are using:
spec:
allowPrivilegeEscalation: true
fsGroup:
rule: RunAsAny
hostIPC: true
hostNetwork: true
hostPID: true
hostPorts:
- max: 65535
min: 0
privileged: true
requiredDropCapabilities:
- NET_RAW
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- '*'
KHV050
https://aquasecurity.github.io/kube-hunter/kb/KHV050.html
Solution:
kubectl replace -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
namespace: default
automountServiceAccountToken: false
EOF
Bluval CI script
Code Block | ||||
---|---|---|---|---|
| ||||
set -euo pipefail
cwd=$(pwd)
results_dir=$cwd/results
sudo rm -fr $results_dir
sudo rm -f $cwd/results.zip
mkdir -p $results_dir
blueprint=kubeedgees
info () {
logger -s -t "run_bluval.info" "$*"
}
error () {
logger -s -t "run_bluval.error" "$*"
exit 1
}
cwd=$cwd/validation
cd $cwd
# update information in volumes yaml
sed -i \
-e "/ssh_key_dir/{n; s@local: ''@local: '$SSH_KEY_DIR'@}" \
-e "/kube_config_dir/{n; s@local: ''@local: '$K8S_CONFIG_DIR'@}" \
-e "/custom_variables_file/{n; s@local: ''@local: '$cwd/tests/variables.yaml'@}" \
-e "/blueprint_dir/{n; s@local: ''@local: '$cwd/bluval/'@}" \
-e "/results_dir/{n; s@local: ''@local: '$results_dir'@}" \
"$cwd/bluval/volumes.yaml"
sed -i \
-e "s/host: [0-9]*.[0-9]*.[0-9]*.[0-9]*/host: $CLUSTER_MASTER_IP/" \
-e "s/username: [A-Za-z0-9_]* /username: $SSH_USER/" \
-e "s/password: [A-Za-z0-9_]* /password: /" \
-e "s|ssh_keyfile: [A-Za-z0-9_]* |ssh_keyfile: /root/.ssh/id_rsa|" \
"$cwd/tests/variables.yaml"
cat >"$cwd/bluval/bluval-kubeedgees.yaml" <<EOF
blueprint:
name: kubeedgees
layers:
- os
- k8s
os: &os
-
name: lynis
what: lynis
optional: "False"
-
name: vuls
what: vuls
optional: "False"
k8s: &k8s
-
name: kube-hunter
what: kube-hunter
optional: "False"
EOF
$cwd/bluval/blucon.sh $blueprint
if [ $? -ne 0 ]; then
sudo chown -R $(id -u):$(id -g) "$results_dir"
error "blucon.sh exited with return code $?"
fi
sudo chown -R $(id -u):$(id -g) "$results_dir"
echo $BLUEPRINT_BUILD_VERSION
source ~/.lftools/bin/activate
NEXUS_PATH="${LAB_SILO}/$blueprint/$BLUEPRINT_BUILD_VERSION"
cd "$results_dir/.." && zip -r results.zip ./results
lftools deploy nexus-zip https://nexus.akraino.org/ logs "$NEXUS_PATH" results.zip |
HRDN-7220
Check if compilers like gcc, g++ is installed. If yes, remove them. For example on ubuntu:
sudo apt remove gcc g++