Closed wyardley closed 3 years ago
binamov
commented
3 years ago You should use train-kubernetes 0.1.6 the manpage you followed is a bit outdated @wyardley
In your stacktrace i see it's using a cached 0.1.2 dependency, consider removing inspec.lock before re-running
wyardley
commented
3 years ago In your stacktrace i see it's using a cached 0.1.2 dependency, consider removing inspec.lock before re-running
@binamov thanks for the response
Probably because of https://github.com/GoogleCloudPlatform/inspec-gke-cis-benchmark/blob/c8d614b3a996dc1f6635bb55297384d78b20095d/inspec-gke-cis-k8s/inspec.yml#L26-L27 ?
Also, it looks like that's inspec-k8s vs train-kubernetes? The latter has a 0.1.6, the latest of the former is 0.1.3 https://github.com/bgeesaman/inspec-k8s (side note: there's no tag cut on https://github.com/bgeesaman/train-kubernetes except for 0.1.4). The docs didn't mention anything about the dependencies directly within those configs, just installing the gem.
Updating that version to 0.1.3:
[2021-02-22T11:16:32-08:00] DEBUG: Using cached dependency for {:url=>"https://github.com/bgeesaman/inspec-k8s/archive/0.1.3.tar.gz", :sha256=>"761070fc6b1aabb4a5c593d508fb4a8c868ae1b2c45a3d22524c385e18c115bd", :backend=>Inspec::Backend::Class @transport=TrainPlugins::TrainKubernetes::Connection, :inputs=>nil}
[2021-02-22T11:16:32-08:00] DEBUG: Loading libraries/k8s_backend.rb into #<Inspec::ProfileContext:0x00007f9edc505988>
[2021-02-22T11:16:32-08:00] DEBUG: Loading libraries/k8sobject.rb into #<Inspec::ProfileContext:0x00007f9edc505988>
[2021-02-22T11:16:32-08:00] DEBUG: Loading libraries/k8sobjects.rb into #<Inspec::ProfileContext:0x00007f9edc505988>
[2021-02-22T11:16:32-08:00] DEBUG: Loading libraries/k8sversion.rb into #<Inspec::ProfileContext:0x00007f9edc505988>
[2021-02-22T11:16:32-08:00] DEBUG: Loading inspec-gke-cis-k8s/controls/4.02-pod-security-policies.rb into #<Inspec::ProfileContext:0x00007f9edcbee330>
[2021-02-22T11:16:32-08:00] ERROR: Failed to load profile inspec-gke-cis-k8s: Failed to load source for controls/4.02-pod-security-policies.rb: Unknown resource podsecuritypolicies for extensions/v1beta1
Profile: InSpec GKE CIS 1.1 Benchmark (inspec-gke-cis-k8s)
Version: 0.1.0
Failure Message: Failed to load source for controls/4.02-pod-security-policies.rb: Unknown resource podsecuritypolicies for extensions/v1beta1
Target: kubernetes://xx.xx.xx.xx:443
No tests executed.
Profile: InSpec Profile (inspec-k8s)
Version: 0.1.3
Target: kubernetes://xx.xx.xx.xx:443
No tests executed.
Test Summary: 0 successful, 0 failures, 0 skippedI can play with some other stuff, but seems to me like there are some things that likely should be updated in this project as well as the docs?
wyardley
commented
3 years ago if I take out the dependency completely, I get the following
[2021-02-22T11:30:07-08:00] DEBUG: Option backend_cache is enabled
[2021-02-22T11:30:07-08:00] DEBUG: Resolve inspec-gke-cis-k8s into cache /Users/wyardley/.inspec/cache
[2021-02-22T11:30:07-08:00] DEBUG: Dependency does not exist in the cache inspec-gke-cis-k8s
[2021-02-22T11:30:07-08:00] DEBUG: Starting run with targets: ["Inspec::Profile<inspec-gke-cis-k8s>"]
[2021-02-22T11:30:07-08:00] DEBUG: Creating lockfile: inspec-gke-cis-k8s/inspec.lock
[2021-02-22T11:30:07-08:00] DEBUG: Loading inspec-gke-cis-k8s/controls/4.02-pod-security-policies.rb into #<Inspec::ProfileContext:0x00007f87cae15970>
[2021-02-22T11:30:07-08:00] ERROR: Failed to load profile inspec-gke-cis-k8s: Failed to load source for controls/4.02-pod-security-policies.rb: undefined method `k8sobjects' for #<Inspec::ControlEvalContext:0x00007f87cadef360>
Profile: InSpec GKE CIS 1.1 Benchmark (inspec-gke-cis-k8s)
Version: 0.1.0
Failure Message: Failed to load source for controls/4.02-pod-security-policies.rb: undefined method `k8sobjects' for #<Inspec::ControlEvalContext:0x00007f87cadef360>
Target: kubernetes://xx.xx.xx.xx:443
No tests executed.
Test Summary: 0 successful, 0 failures, 0 skippedKeep the dependency but at 0.1.3 for inspec-k8s?
wyardley
commented
3 years ago Keep the dependency but at 0.1.3 for inspec-k8s?
Yeah, tried that - same error (see output / comment in https://github.com/GoogleCloudPlatform/inspec-gke-cis-benchmark/issues/19#issuecomment-783616475)
binamov
commented
3 years ago @wyardley I see you have a train-k8s in your gem list and none of our devs do, I think that's the source of the conflict?
jpg9503
commented
3 years ago Hi, I tried setting this up today against a new GKE cluster and was getting the same original error that was referenced here - "Unknown resource podsecuritypolicies for extensions/v1beta1". Seemed like I had all the dependencies right, but was still getting the error. I changed the code to use "policy/v1beta1" instead of "extensions/v1beta1" as I had read something about the removal of deprecated podsecuritypolicy API endpoints in 1.16. That seemed to make it work. I'm new to inspec and relatively new to kubernetes, so wanted to make sure I'm on the right track with that.
KonradSchieban
commented
3 years ago Thank you @wyardley for raising this issue and @jpg9503 for investigating. Indeed, looks like pod_security_policies has moved to a different API.
Hi - running into the error
Unknown resource podsecuritypolicies for extensions/v1beta1with the kubernetes profile here.kubectl get podsecuritypoliciesdoes function, for example, for one of the clusters being checked:pretty minimal
inputs.yml:I don't have certificate paths explicitly configured, but I do have a valid
~/.kube/configthat should have valid creds for all the clusters I want to scan, and the regular GCP reporting works fine against all the clusters in the configured project.I am using a slightly newer version of the plugin than the one documented. I can try downgrading if that's suggested (I tried
% inspec plugin install train-kubernetes --version=0.1.3, however, it didn't seem to work for me).side note: the docs mention
inspect plugins list, which doesn't appear to be valid.