Kube Bench AWS RBAC recommendation #1490

tppalani · 2023-08-27T15:10:39Z

tppalani
Aug 27, 2023

Hi Team,

Just want to let you know about my general query, I have EKS cluster which is running single node group with two nodes, i have used below yaml file and applied file into my cluster. When i'm seeing kube bench pod logs specifically RBAC most of the items are coming us Warning message, and remediation notes not much useful to fix recommendation method or I don't have enough knowledge to fix the issues according kube-bench logs.

Adding One points from kube-bench logs. According to this warning message, Not sure how to check secrets whether having minimal access to view k8s resources with verbs list , get, watch, create so on...

can you help me how to check secrets and how to identify whether secrets are defined as per the aqua security guidelines.

[WARN] 4.1.2 Minimize access to secrets (Manual).

apiVersion: batch/v1
kind: Job
metadata:
  name: kube-bench
spec:
  template:
    metadata:
      labels:
        app: kube-bench
    spec:
      hostPID: true
      containers:
        - name: kube-bench
          image: aquasec/kube-bench:latest
          command: ["kube-bench"]
          volumeMounts:
            - name: var-lib-etcd
              mountPath: /var/lib/etcd
              readOnly: true
            - name: var-lib-kubelet
              mountPath: /var/lib/kubelet
              readOnly: true
            - name: var-lib-kube-scheduler
              mountPath: /var/lib/kube-scheduler
              readOnly: true
            - name: var-lib-kube-controller-manager
              mountPath: /var/lib/kube-controller-manager
              readOnly: true
            - name: etc-systemd
              mountPath: /etc/systemd
              readOnly: true
            - name: lib-systemd
              mountPath: /lib/systemd/
              readOnly: true
            - name: srv-kubernetes
              mountPath: /srv/kubernetes/
              readOnly: true
            - name: etc-kubernetes
              mountPath: /etc/kubernetes
              readOnly: true
              # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
              # You can omit this mount if you specify --version as part of the command.
            - name: usr-bin
              mountPath: /usr/local/mount-from-host/bin
              readOnly: true
            - name: etc-cni-netd
              mountPath: /etc/cni/net.d/
              readOnly: true
            - name: opt-cni-bin
              mountPath: /opt/cni/bin/
              readOnly: true
      restartPolicy: Never
      volumes:
        - name: var-lib-etcd
          hostPath:
            path: "/var/lib/etcd"
        - name: var-lib-kubelet
          hostPath:
            path: "/var/lib/kubelet"
        - name: var-lib-kube-scheduler
          hostPath:
            path: "/var/lib/kube-scheduler"
        - name: var-lib-kube-controller-manager
          hostPath:
            path: "/var/lib/kube-controller-manager"
        - name: etc-systemd
          hostPath:
            path: "/etc/systemd"
        - name: lib-systemd
          hostPath:
            path: "/lib/systemd"
        - name: srv-kubernetes
          hostPath:
            path: "/srv/kubernetes"
        - name: etc-kubernetes
          hostPath:
            path: "/etc/kubernetes"
        - name: usr-bin
          hostPath:
            path: "/usr/bin"
        - name: etc-cni-netd
          hostPath:
            path: "/etc/cni/net.d/"
        - name: opt-cni-bin
          hostPath:
            path: "/opt/cni/bin/"

tppalani · 2023-08-28T18:29:13Z

tppalani
Aug 28, 2023
Author

Hi @everyone, do you any update on this

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Kube Bench AWS RBAC recommendation #1490

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment

{{title}}

Select a reply

Kube Bench AWS RBAC recommendation #1490

tppalani Aug 27, 2023

Replies: 1 comment

tppalani Aug 28, 2023 Author

tppalani
Aug 27, 2023

tppalani
Aug 28, 2023
Author