Table of Contents
Introduction
...
There are 4 CVEs with CVSS score > 9.0. These require upstream kernel patches, and exceptions have been requested here:
Akraino CVE Vulnerability Exception Request
Kube-Hunter
Fixed 3 vulnerabilities:
...
An exception has been granted:
Akraino BluVal Exception Request
Reason:
- Sonobuoy assumes the all nodes are within a Layer 2 network, which is the case for the standard Kubernetes environment.
- KubeEdge solves a different problem where typically the edge nodes are behind corporate firewalls. And cloud node do not have direct access to the edge nodes due to security and permission restrictions.
...
Change the default ClusterRole system:public-info-viewer
kubectl replace -f - <<EOF apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "false" labels: kubernetes.io/bootstrapping: rbac-defaults name: system:public-info-viewer rules: - nonResourceURLs: - /healthz - /livez - /readyz verbs: - get EOF
CAP_NET_RAW
Docker runtime enables Linux "NET_RAW" capability by default. Docker daemon does not have an option to disable "NET_RAW":
...
Exact PodSecurityPolicy Spec we are using:
spec:
allowPrivilegeEscalation: true
fsGroup:
rule: RunAsAny
hostIPC: true
hostNetwork: true
hostPID: true
hostPorts:
- max: 65535
min: 0
privileged: true
requiredDropCapabilities:
- NET_RAW
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- '*'
KHV050
https://aquasecurity.github.io/kube-hunter/kb/KHV050.html
Solution:
kubectl replace -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
namespace: default
automountServiceAccountToken: false
EOF
Bluval CI script
| Code Block | ||||
|---|---|---|---|---|
| ||||
set -euo pipefail cwd=$(pwd) results_dir=$cwd/results sudo rm -fr $results_dir sudo rm -f $cwd/results.zip mkdir -p $results_dir blueprint=kubeedgees info () { logger -s -t "run_bluval.info" "$*" } error () { logger -s -t "run_bluval.error" "$*" exit 1 } cwd=$cwd/validation cd $cwd # update information in volumes yaml sed -i \ -e "/ssh_key_dir/{n; s@local: ''@local: '$SSH_KEY_DIR'@}" \ -e "/kube_config_dir/{n; s@local: ''@local: '$K8S_CONFIG_DIR'@}" \ -e "/custom_variables_file/{n; s@local: ''@local: '$cwd/tests/variables.yaml'@}" \ -e "/blueprint_dir/{n; s@local: ''@local: '$cwd/bluval/'@}" \ -e "/results_dir/{n; s@local: ''@local: '$results_dir'@}" \ "$cwd/bluval/volumes.yaml" sed -i \ -e "s/host: [0-9]*.[0-9]*.[0-9]*.[0-9]*/host: $CLUSTER_MASTER_IP/" \ -e "s/username: [A-Za-z0-9_]* /username: $SSH_USER/" \ -e "s/password: [A-Za-z0-9_]* /password: /" \ -e "s|ssh_keyfile: [A-Za-z0-9_]* |ssh_keyfile: /root/.ssh/id_rsa|" \ "$cwd/tests/variables.yaml" cat >"$cwd/bluval/bluval-kubeedgees.yaml" <<EOF blueprint: name: kubeedgees layers: - os - k8s os: &os - name: lynis what: lynis optional: "False" - name: vuls what: vuls optional: "False" k8s: &k8s - name: kube-hunter what: kube-hunter optional: "False" EOF $cwd/bluval/blucon.sh $blueprint if [ $? -ne 0 ]; then sudo chown -R $(id -u):$(id -g) "$results_dir" error "blucon.sh exited with return code $?" fi sudo chown -R $(id -u):$(id -g) "$results_dir" echo $BLUEPRINT_BUILD_VERSION source ~/.lftools/bin/activate NEXUS_PATH="${LAB_SILO}/$blueprint/$BLUEPRINT_BUILD_VERSION" cd "$results_dir/.." && zip -r results.zip ./results lftools deploy nexus-zip https://nexus.akraino.org/ logs "$NEXUS_PATH" results.zip |
HRDN-7220
Check if compilers like gcc, g++ is installed. If yes, remove them. For example on ubuntu:
sudo apt remove gcc g++