aquasecurity / kube-bench

Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark
Apache License 2.0
7.08k stars 1.23k forks source link

Typo in rh-1.0/4.1.3 #1651

Closed Arano-kai closed 1 month ago

Arano-kai commented 3 months ago

Overview

The #1597 contains small typo in rh-1.0/4.1.3 that breaks check

How did you run kube-bench?

Deployed the job-node.yaml on OKD 4.12

What happened? Related debug log:

I0730 07:41:14.744366 3503397 check.go:110] -----   Running check 4.1.3   -----
I0730 07:41:15.019047 3503397 check.go:180] failed to run: "# Get the node name where the pod is running\nNODE_NAME=$(oc get pod \"$HOSTNAME\" -o=jsonpath='{.spec.nodeName}')\n# Get the pod name in the openshift-sdn namespace\nPOD_NAME=$(oc get pods -n openshift-sdn -l app=sdn --field-selector spec.nodeName=\"$NODE_NAME\" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)\n\nif [ -z \"$POD_NAME\" ]; then\necho \"No matching pods found on the current node.\"\nelse\n# Execute the stat command\noc exec -n openshift-sdn \"$POD_NAME\"  - stat -Lc \"$i %n permissions=%a\" /config/kube-proxy-config.yaml  2>/dev/null\nfi", output: "", error: exit status 1
I0730 07:41:15.019103 3503397 check.go:186] Command: "# Get the node name where the pod is running\nNODE_NAME=$(oc get pod \"$HOSTNAME\" -o=jsonpath='{.spec.nodeName}')\n# Get the pod name in the openshift-sdn namespace\nPOD_NAME=$(oc get pods -n openshift-sdn -l app=sdn --field-selector spec.nodeName=\"$NODE_NAME\" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)\n\nif [ -z \"$POD_NAME\" ]; then\necho \"No matching pods found on the current node.\"\nelse\n# Execute the stat command\noc exec -n openshift-sdn \"$POD_NAME\"  - stat -Lc \"$i %n permissions=%a\" /config/kube-proxy-config.yaml  2>/dev/null\nfi\n" TestResult: <<EMPTY>> 
I0730 07:41:15.019119 3503397 check.go:190] failed to run: "# Get the node name where the pod is running\nNODE_NAME=$(oc get pod \"$HOSTNAME\" -o=jsonpath='{.spec.nodeName}')\n# Get the pod name in the openshift-sdn namespace\nPOD_NAME=$(oc get pods -n openshift-sdn -l app=sdn --field-selector spec.nodeName=\"$NODE_NAME\" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)\n\nif [ -z \"$POD_NAME\" ]; then\necho \"No matching pods found on the current node.\"\nelse\n# Execute the stat command\noc exec -n openshift-sdn \"$POD_NAME\"  - stat -Lc \"$i %n permissions=%a\" /config/kube-proxy-config.yaml  2>/dev/null\nfi", output: "", error: exit status 1

Error in oc exec ... part -- container command is preceded by a single dash, but should be a double dash instead

What did you expect to happen:

The check rh-1.0/4.1.3 must succeed

Environment

$ kube-bench version
v0.8.0
$ oc version
Client Version: 4.12.13
Kustomize Version: v4.5.7
Server Version: 4.12.0-0.okd-2023-03-18-084815
Kubernetes Version: v1.25.0-2786+eab9cc98fe4c00-dirty