Akraino Security Sub-Committee Meeting Agenda 01/25/2021

Attendees:

Randy Stricklin

Tina Tsou

Noha Youssef

Daniil Egranov

Agenda:

Open forum to discuss CVE exception spreadsheet items with Blueprint owners.

Kube-hunter K8s vulnerability fixes:

Hi Randy / Oleg / PCEI Blueprint members,

In EALT-Edge Blueprint, we are using Kubernetes 1.17.2. But based on the logs of Kube-hunter pod.log, PCEI BP is using K8s 1.14.6.

Eventhough, we are using a different K8s version we had faced similar issues.

We applied the below fixes to solve Kube-hunter related issues. See if it helps.

kubectl get serviceaccount default -o yaml > ./serviceaccountdefault.yaml

sed '/^secrets:.*/i automountServiceAccountToken: false' serviceaccountdefault.yaml >> servicedefault.yaml

kubectl replace serviceaccount default -f ./servicedefault.yaml

kubectl replace -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "false"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:public-info-viewer
rules:
- nonResourceURLs:
- /healthz
- /livez
- /readyz
verbs:
- get
EOF

Thanks,

Srinivasan

Hi Oleg,

FYI, a few fixes we have applied in KubeEdge have been documented here:

KubeEdge BP Test Documents - Akraino - Akraino Confluence

Thanks,

Hao

Hi Randy & Oleg,

In case it’s related, please find below the findings by Todd from Intel, he said the Kube-Hunter docker image was incorrectly requiring NET_RAW to discover clusters when running inside a pod. So this means if we disable CAP_NET_RAW, then no cluster could be discovered by using the old Kube-Hunter image.

Thanks,

Hao

Just to follow up on this in case you're interested: the kube-hunter folks just merged https://github.com/aquasecurity/kube-hunter/pull/416 (available in the aquasec/kube-hunter:edge image) that resolves the issue with CAP_NET_RAW being required to discover clusters when run inside a Pod. With this image, the restricted PodSecurityPolicy and kube-hunter work well together.

Thanks again for the help,

-Todd

Browser not supported