aquasecurity / kube-bench

Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark
Apache License 2.0
7.11k stars 1.23k forks source link

Etcd check failed with a custom etcd setup #828

Open RolandMa1986 opened 3 years ago

RolandMa1986 commented 3 years ago

Overview We have a custom Etcd cluster that setup with systemd and bash scripts. We can't pass the 'Etcd Node Configuration' check.

Environment Kubernetes v1.18.6 Kube-bench: v0.5.0

Running processes

$ /bin/ps -f -C etcd 
UID        PID  PPID  C STIME TTY          TIME CMD
root      2448     1  0 Feb18 ?        00:00:00 /bin/bash /usr/local/bin/etcd # this is a bash script that use to start a etcd container.
root      2533  2497  2 Feb18 ?        02:37:29 /usr/local/bin/etcd # the real etcd process inside container

Anything else you would like to add: All of our settings are presented in the Environment. But it seems the default AuditEnv command can't handle the above situation, since the /bin/ps -C etcd -o pid= would return 2 lines. https://github.com/aquasecurity/kube-bench/blob/3e9b5a7b49048c7ca59beed2b87899ddd9673736/cmd/common.go#L141

Definitely, we can resolve this issue by renaming the script or create a customized cis cfg. But on the other hand, I'm wondering could the default AuditEnv command be changed to a more specific command that exactly matches the etcd command instead of the script.

yoavrotems commented 3 years ago

Hey currently we have other issues and enhancements and won't add this enhancement, because there is an easy fix I would do it and just use in one of the fixes you suggested. I will leave this issue open and tag as help wanted if someone from the community will want to contribute in the subject :)