Kubernetes Control Plane Charm

cis-benchmark action missing with 1.29/beta

Bug #2044219 reported by Yoshi Kadokawa on 2023-11-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Kubernetes Control Plane Charm	In Progress	Medium	Kevin W Monroe	Kubernetes Control Plane Charm 1.31
	Kubernetes Worker Charm	In Progress	Medium	Kevin W Monroe	Kubernetes Worker Charm 1.31

Bug Description

The cis-benchmark action is missing from kubernetes-control-plane and kubernetes-worker from 1.29/beta.
This is necessary to validate CIS on Kubernetes cluster.

Revision history for this message

Yoshi Kadokawa (yoshikadokawa) wrote on 2023-11-22:

As this was available with 1.28/stable charm, and no other workaround is available,
subscribing this to field-critical.

George Kraft (cynerva) on 2023-11-28

Changed in charm-kubernetes-master:
milestone:	none → 1.29
Changed in charm-kubernetes-worker:
milestone:	none → 1.29
Changed in charm-kubernetes-master:
importance:	Undecided → Critical
Changed in charm-kubernetes-worker:
importance:	Undecided → Critical

Revision history for this message

Yoshi Kadokawa (yoshikadokawa) wrote on 2023-12-07:

for now as a workaround I have applied the kube-bench manually with the following commands inside each hosts, kubernetes-worker and kubernetes-control-plane.

Following steps were necessary to prep to run kube-bench:
wget https://github.com/charmed-kubernetes/kube-bench-config/archive/cis-1.23.zip
wget https://github.com/aquasecurity/kube-bench/releases/download/v0.6.19/kube-bench_0.6.19_linux_amd64.deb
sudo dpkg -i ./kube-bench_0.6.19_linux_amd64.deb
mkdir -p /home/ubuntu/kube-bench
unzip -d /home/ubuntu/kube-bench cis-1.23.zip

kubernetes-control-plane:
sudo kube-bench -D /home/ubuntu/kube-bench/kube-bench-config-cis-1.23 \
--benchmark cis-1.23 \
run --targets master

kubernetes-worker:
sudo kube-bench -D /home/ubuntu/kube-bench/kube-bench-config-cis-1.23 \
--benchmark cis-1.23 \
run --targets node

Kevin W Monroe (kwmonroe) on 2024-02-21

Changed in charm-kubernetes-master:
status:	New → Triaged
Changed in charm-kubernetes-worker:
status:	New → Triaged
Changed in charm-kubernetes-master:
importance:	Critical → High
Changed in charm-kubernetes-worker:
importance:	Critical → High
Changed in charm-kubernetes-master:
milestone:	1.29 → 1.29+ck1
Changed in charm-kubernetes-worker:
milestone:	1.29 → 1.29+ck1

Revision history for this message

Kevin W Monroe (kwmonroe) wrote on 2024-02-21:

Dropping down to High given the workaround in #2. While not ideal nor convenient, that workaround is effectively what the action does. Targeting re-inclusion of the cis-benchmark action in 1.29+ck1.

Kevin W Monroe (kwmonroe) on 2024-03-24

Changed in charm-kubernetes-master:
assignee:	nobody → Kevin W Monroe (kwmonroe)
Changed in charm-kubernetes-worker:
assignee:	nobody → Kevin W Monroe (kwmonroe)
status:	Triaged → In Progress
Changed in charm-kubernetes-master:
status:	Triaged → In Progress

Kevin W Monroe (kwmonroe) on 2024-03-25

Changed in charm-kubernetes-master:
milestone:	1.29+ck1 → 1.30
Changed in charm-kubernetes-worker:
milestone:	1.29+ck1 → 1.30
Changed in charm-kubernetes-master:
importance:	High → Medium
Changed in charm-kubernetes-worker:
importance:	High → Medium

Revision history for this message

Kevin W Monroe (kwmonroe) wrote on 2024-03-25:

CIS Kubernetes Benchmark scanning was made available in the Trivy CLI (in addition to quite a few more trivy features) last year:

https://www.aquasec.com/blog/trivy-kubernetes-cis-benchmark-scanning/

I've confirmed the manual steps from comment #2 are still valid for charmed k8s 1.29, as are the upstream trivy getting started instructions. Given that, the better solution here is to include something like a `trivy` action as a superset of the functionality that the `cis-benchmark` action provided.

I'm re-targeting this for the upcoming 1.30 release.

Revision history for this message

Patrizio Bassi (patriziobassibdi) wrote on 2024-04-18:

Hi, is 1.30 release fixing it?

Will it work in a airgapped environment where you cannot do wget from github, i mean can we attach resources? i don't see them in the actual charm implementation

Revision history for this message

Adam Dyess (addyess) wrote on 2024-06-02:

I took a stab at porting this.
https://github.com/charmed-kubernetes/charm-kubernetes-control-plane/pull/349

You can download the config and release into your airgapped installation, host them internally in your airgapped environment on a web service, then point the action to run from the corrected URLs.

juju run action <unit> cis-benchmark apply=<action> \
config=https://airgapped.internal/kube-bench/config/archive/cis-1.23.zip#sha1=3cda2fc68b4ca36f69f5913bfc0b02576e7a3b3d \
release=https://airgapped.internal/kube-bench/releases/download/v0.6.8/kube-bench_0.6.8_linux_amd64.tar.gz#sha256=5f9c5231949bd022a6993f5297cc05bb80a1b7c36a43cefed0a8c8af26778863

Revision history for this message

Adam Dyess (addyess) wrote on 2024-06-06:

While we have a possible fix for this, time doesn't permit the testing, and distribution of this change to the worker and control-plane charms. Slating for the 1.31 branch

Changed in charm-kubernetes-master:
milestone:	1.30 → 1.31
Changed in charm-kubernetes-worker:
milestone:	1.30 → 1.31

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.