KodeKloud Kubernetes Security CKS Lab Challenge 3 | kube-bench tool | identify and fix all the issues that were reported as failed for the controlplane and the worker node components.

 Question : This is a two node kubernetes cluster. Using the kube-bench utility, identify and fix all the issues that were reported as failed for the controlplane and the worker node components.

Inspect the issues in detail by clicking on the icons of the interactive architecture diagram on the right and complete the tasks to secure the cluster. Once done click on the Check button to validate your work.

Access the lab!

Solution:  

1. Use AquaSec 'kube-bench' to identify and fix issues related to controlplane and work node components

Install & RUN  'kube-bench' tool

root@controlplane ~ ➜  curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.6.2/kube-bench_0.6.2_linux_amd64.tar.gz | tar -xz -C /opt   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                  Dload  Upload   Total   Spent    Left  Speed   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0 100 7821k  100 7821k    0     0  16.1M      0 --:--:-- --:--:-- --:--:-- 16.1M  root@controlplane ~ ➜  mkdir -p /var/www/html  root@controlplane ~ ➜  /opt/kube-bench --config-dir /opt/cfg --config /opt/cfg/config.yaml > /var/www/html/index.html  root@controlplane ~ ➜

2.  Inspect and fix etcd 

root@controlplane ~ ➜  ll -lsd  /var/lib/etcd/ 4 drwx------ 3 etcd root 4096 May  8 14:57 /var/lib/etcd//  root@controlplane ~ ➜  chown -R etcd:etcd /var/lib/etcd  root@controlplane ~ ➜  ll -lsd  /var/lib/etcd/ 4 drwx------ 3 etcd etcd 4096 May  8 14:57 /var/lib/etcd//  root@controlplane ~ ➜

3.  Fix kubelet security issues

root@controlplane ~ ➜  echo 'protectKernelDefaults: true' >> /var/lib/kubelet/config.yaml  root@controlplane ~ ➜  systemctl restart kubelet  root@controlplane ~ ➜  ssh node01 'echo "protectKernelDefaults: true" >> /var/lib/kubelet/config.yaml'  root@controlplane ~ ➜  root@controlplane ~ ➜ kubectl get nodes NAME           STATUS   ROLES                  AGE   VERSION controlplane   Ready    control-plane,master   22m   v1.23.0 node01         Ready    <none>                 21m   v1.23.0  root@controlplane ~ ➜

4. Inspect and fix  kube-controller-manager / kube-scheduler security issues

root@controlplane ~ ➜  cat /etc/kubernetes/manifests/kube-controller-manager.yaml |grep -i profiling root@controlplane ~ ➜  yq -i e '.spec.containers[0].command += "--profiling=false"' /etc/kubernetes/manifests/kube-controller-manager.yaml  root@controlplane ~ ➜  cat /etc/kubernetes/manifests/kube-controller-manager.yaml |grep -i profiling         - --profiling=false  root@controlplane ~ ➜   root@controlplane ~ ➜  cat /etc/kubernetes/manifests/kube-scheduler.yaml |grep -i profiling  root@controlplane ~ ➜  yq -i e '.spec.containers[0].command += "--profiling=false"' /etc/kubernetes/manifests/kube-scheduler.yaml  root@controlplane ~ ➜  cat /etc/kubernetes/manifests/kube-scheduler.yaml |grep -i profiling         - --profiling=false root@controlplane ~ ➜

5.  Inspect and fix kube-apiserver auditing issues

root@controlplane ~ ➜  mkdir -p /var/log/apiserver  root@controlplane ~ ➜  yq e '.spec.containers[0].command += [      "--profiling=false",      "--insecure-port=0",      "--audit-log-maxage=30",      "--audit-log-maxbackup=10",      "--audit-log-path=/var/log/apiserver/audit.log",      "--audit-log-maxsize=100"      ] |      .spec.volumes += {"name": "audit-log", "hostPath":{"path":"/var/log/apiserver/audit.log", "type":"FileOrCreate"}} |      .spec.containers[0].volumeMounts += {"mountPath": "/var/log/apiserver/audit.log", "name": "audit-log"}' \      /etc/kubernetes/manifests/kube-apiserver.yaml | \    sed 's/NodeRestriction/NodeRestriction,PodSecurityPolicy/' > \    kube-apiserver.yaml.out  root@controlplane ~ ➜   root@controlplane ~ ➜  api_container_id=$(crictl ps | grep apiserver | cut -f 1 -d ' ') WARN[0000] runtime connect using default endpoints: [unix:///var/run/dockershim.sock unix:///run/containerd/containerd.sock unix:///run/crio/crio.sock unix:///var/run/cri-dockerd.sock]. As the default settings are now deprecated, you should set the endpoint instead. WARN[0000] image connect using default endpoints: [unix:///var/run/dockershim.sock unix:///run/containerd/containerd.sock unix:///run/crio/crio.sock unix:///var/run/cri-dockerd.sock]. As the default settings are now deprecated, you should set the endpoint instead.  root@controlplane ~ ➜  mv -f kube-apiserver.yaml.out /etc/kubernetes/manifests/kube-apiserver.yaml  root@controlplane ~ ➜   root@controlplane ~ ➜  systemctl restart kubelet  root@controlplane ~ ➜   root@controlplane ~ ➜  crictl config \    --set runtime-endpoint=unix:///var/run/dockershim.sock \    --set image-endpoint=unix:///var/run/dockershim.sock  root@controlplane ~ ➜  root@controlplane ~ ➜  kubectl get pods -n kube-system NAME                                   READY   STATUS    RESTARTS      AGE coredns-64897985d-8dw6j                1/1     Running   0             26m coredns-64897985d-m8dw6                1/1     Running   0             26m etcd-controlplane                      1/1     Running   0             26m kube-controller-manager-controlplane   1/1     Running   1 (59s ago)   3m54s kube-proxy-g4h82                       1/1     Running   0             26m kube-proxy-lx95l                       1/1     Running   0             26m kube-scheduler-controlplane            1/1     Running   1 (58s ago)   2m41s weave-net-5n7g6                        2/2     Running   0             26m weave-net-wxfqq                        2/2     Running   1 (26m ago)   26m root@controlplane ~ ➜

 6. Click on Check & Confirm to complete the task successfully

Happy Learning!!!!

Apart from this if you need more clarity,  I have made a  tutorial video on this , please go through and share your comments. Like and share the knowledge