search

aquasecurity / kube-bench

Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark
Apache License 2.0
7.05k stars 1.23k forks source link

failed to output to ASFF: finding publish failed: not found, ResolveEndpointV2 #1595

Open eravindar12 opened 7 months ago

eravindar12 commented 7 months ago

Overview

I am trying to integrate AWS security Hub and EKS , and I've come across the following issue. Would you happen to have any suggestions on how to resolve it? Your assistance would be greatly appreciated. Thank you!

Here are the details regarding the error encountered.

failed to output to ASFF: finding publish failed: not found, ResolveEndpointV2

How did you run kube-bench?

[Please specify exactly how you ran kube-bench, including details of command parameters and/or job file that you used to run it]

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kube-bench
  # If using a dedicated IAM role for kube-bench, uncomment the annotations
  # block below and replace the ROLE_ARN
  annotations:
    eks.amazonaws.com/role-arn: "arn:aws:iam::xxxxxx:role/kube-bench-xxx-scan-re"

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: kube-bench-eks-config
data:
  config.yaml: |
    AWS_ACCOUNT: "xxxxx"
    AWS_REGION: "us-east-1"
    CLUSTER_ARN: "arn:aws:eks:us-east-1:xxxxx:cluster/xxx-xxx-stage"
---
apiVersion: batch/v1
kind: Job
metadata:
  name: kube-bench
spec:
  template:
    spec:
      hostPID: true
      containers:
        - name: kube-bench
          # Push the image to your ECR and then refer to it here
          image: docker.io/aquasec/kube-bench:latest
          # image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
          # TBD - RE 
          # image: xxxxx.dkr.ecr.us-east-1.amazonaws.com/aquasec/kube-bench:latest
          command:
            [
              "kube-bench",
              "run",
              "--targets",
              "node",
              "--benchmark",
              "eks-1.2.0",
              "--asff",
            ]
          env:
            - name: NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          volumeMounts:
            - name: var-lib-kubelet
              mountPath: /var/lib/kubelet
              readOnly: true
            - name: etc-systemd
              mountPath: /etc/systemd
              readOnly: true
            - name: etc-kubernetes
              mountPath: /etc/kubernetes
              readOnly: true
            - name: kube-bench-eks-config
              mountPath: "/opt/kube-bench/cfg/eks-1.2.0/config.yaml"
              subPath: config.yaml
              readOnly: true
      restartPolicy: Never
      serviceAccountName: kube-bench
      volumes:
        - name: var-lib-kubelet
          hostPath:
            path: "/var/lib/kubelet"
        - name: etc-systemd
          hostPath:
            path: "/etc/systemd"
        - name: etc-kubernetes
          hostPath:
            path: "/etc/kubernetes"
        - name: kube-bench-eks-config
          configMap:
            name: kube-bench-eks-config
            items:
              - key: config.yaml
                path: config.yaml

What happened?

❯ k get po -n kube-bench
NAME               READY   STATUS   RESTARTS   AGE
kube-bench-g2lq2   0/1     Error    0          5m8s
kube-bench-m2tsw   0/1     Error    0          2m27s
❯ k describe po kube-bench-g2lq2 -n kube-bench
Name:             kube-bench-g2lq2
Namespace:        kube-bench
Priority:         0
Service Account:  kube-bench
Node:             ip-10-xx-xx-5.ec2.internal/10.xx.xx.x
Start Time:       Sun, 07 Apr 2024 12:32:53 -0500
Labels:           batch.kubernetes.io/controller-uid=bd049759-9938-47d2-b2ee-a02cc84cc1ea
                  batch.kubernetes.io/job-name=kube-bench
                  controller-uid=bd049759-9938-47d2-b2ee-a02cc84cc1ea
                  job-name=kube-bench
Annotations:      <none>
Status:           Failed
IP:               10.xx.xx.xxx
IPs:
  IP:           10.xx.xx.xxx
Controlled By:  Job/kube-bench
Containers:
  kube-bench:
    Container ID:  containerd://6d32baa3761533f37aa5a1017c7ebed7edc447cfbbc0b0226eb4a1a967f3659d
    Image:         docker.io/aquasec/kube-bench:latest
    Image ID:      docker.io/aquasec/kube-bench@sha256:1f91942f94a79c8298b06a562c74c17d43fcddb9159d82174485f8358ff3832b
    Port:          <none>
    Host Port:     <none>
    Command:
      kube-bench
      run
      --targets
      node
      --benchmark
      eks-1.2.0
      --asff
    State:          Terminated
      Reason:       Error
      Exit Code:    1
      Started:      Sun, 07 Apr 2024 12:32:53 -0500
      Finished:     Sun, 07 Apr 2024 12:32:54 -0500
    Ready:          False
    Restart Count:  0
    Environment:
      NODE_NAME:                     (v1:spec.nodeName)
      AWS_STS_REGIONAL_ENDPOINTS:   regional
      AWS_DEFAULT_REGION:           us-east-1
      AWS_REGION:                   us-east-1
      AWS_ROLE_ARN:                 arn:aws:iam::xxxxx:role/kube-bench-cis-scan-re
      AWS_WEB_IDENTITY_TOKEN_FILE:  /var/run/secrets/eks.amazonaws.com/serviceaccount/token
    Mounts:
      /etc/kubernetes from etc-kubernetes (ro)
      /etc/systemd from etc-systemd (ro)
      /opt/kube-bench/cfg/eks-1.2.0/config.yaml from kube-bench-eks-config (ro,path="config.yaml")
      /var/lib/kubelet from var-lib-kubelet (ro)
      /var/run/secrets/eks.amazonaws.com/serviceaccount from aws-iam-token (ro)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-zlqb5 (ro)
Conditions:
  Type                        Status
  PodReadyToStartContainers   False
  Initialized                 True
  Ready                       False
  ContainersReady             False
  PodScheduled                True
Volumes:
  aws-iam-token:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  86400
  var-lib-kubelet:
    Type:          HostPath (bare host directory volume)
    Path:          /var/lib/kubelet
    HostPathType:
  etc-systemd:
    Type:          HostPath (bare host directory volume)
    Path:          /etc/systemd
    HostPathType:
  etc-kubernetes:
    Type:          HostPath (bare host directory volume)
    Path:          /etc/kubernetes
    HostPathType:
  kube-bench-eks-config:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      kube-bench-eks-config
    Optional:  false
  kube-api-access-zlqb5:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type    Reason     Age    From               Message
  ----    ------     ----   ----               -------
  Normal  Scheduled  5m19s  default-scheduler  Successfully assigned kube-bench/kube-bench-g2lq2 to ip-xx-xx-xx-5.ec2.internal
  Normal  Pulling    5m19s  kubelet            Pulling image "docker.io/aquasec/kube-bench:latest"
  Normal  Pulled     5m19s  kubelet            Successfully pulled image "docker.io/aquasec/kube-bench:latest" in 125ms (125ms including waiting)
  Normal  Created    5m19s  kubelet            Created container kube-bench
  Normal  Started    5m19s  kubelet            Started container kube-bench

What did you expect to happen:

I'm expecting that the pods should run smoothly and push the results to AWS Security Hub without encountering these errors.

Environment

[What is your version of kube-bench? (run kube-bench version)]

latest -> v0.7.2

[What is your version of Kubernetes? (run kubectl version or oc version on OpenShift.)] EKS 1.29

codehopper-uk commented 6 months ago

Any update on this? I'm experiencing the same error with the same setup: failed to output to ASFF: finding publish failed: not found, ResolveEndpointV2

harshvardhan1402 commented 6 months ago

facing the same error too, do we have any update on this?

Screenshot 2024-05-05 at 12 18 49 PM
ShahbazRahmat commented 5 months ago

Hi @harshvardhan1402,

I encountered the same issue while deploying Kube-bench with the latest version. The latest version has some bugs, though I am not sure of the specifics. However, I deployed version 6.19.0, and it is working for me.

You can download version 6.19.0 using the command below and follow the steps mentioned in the official documentation.

git clone https://github.com/aquasecurity/kube-bench.git --branch v0.6.19

prafultamrakar commented 2 months ago

git clone https://github.com/aquasecurity/kube-bench.git --branch v0.6.19 worked for me thanks @ShahbazRahmat

prafultamrakar commented 2 months ago

git clone https://github.com/aquasecurity/kube-bench.git --branch v0.6.19 worked for me thanks @ShahbazRahmat

w-reichert commented 2 months ago

I wonder if this issue will be fixed. In version v0.8.0 we still see the same error.

The root cause might be related to the aws-sdk-go packages as described here: https://github.com/aws/aws-sdk-go-v2/issues/2370#issuecomment-1953308268

Thank you.