Using Kubeaudit to audit Kubernetes clusters
Kubeaudit produces results with three levels of severity:
| • | Error—A security issue or invalid Kubernetes configuration. |
| • | Warning—A best practice recommendation. |
| • | Info—Informational, no action required. This includes results that are overridden. |
For more information on all the Kubeaudit command line options and usage options, see the Kubeaudit documentation available on the GitHub Shopify/Kubeaudit repository.
Run Kubeaudit as per the code block below to examine your Full Flexera Kubernetes Inventory Agent's ./config/controller/deployment.yaml file.
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
krm.flexera.com/component: controller
name: krm-controller
spec:
replicas: 1
selector:
matchLabels:
krm.flexera.com/component: controller
template:
metadata:
labels:
krm.flexera.com/component: controller
annotations:
container.apparmor.security.beta.kubernetes.io/controller: unconfined
spec:
serviceAccountName: controller
containers:
- name: controller
args:
- controller
image: public.ecr.aws/flexera/krm:1.7.2
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
resources:
requests:
memory: "128Mi"
cpu: "250m"
limits:
memory: "512Mi"
cpu: "500m"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
securityContext:
seccompProfile:
type: RuntimeDefault
strategy: {}
Warnings and errors
Using Kubeaudit with the following parameters will report errors and warnings that could be addressed: $ kubeaudit all -f ./config/controller/deployment.yaml
Currently the following warning and errors exist for the Full Flexera Kubernetes Inventory Agent:
[WARNING]: kubernetes.io for override labels will soon be deprecated. Please, update them to use kubeaudit.io instead.
---------------- Results for ---------------
apiVersion: apps/v1
kind: Deployment
metadata:
name: krm-controller
--------------------------------------------
-- [error] AppArmorDisabled
Message: AppArmor is disabled. The apparmor annotation should be set to 'runtime/default' or start with 'localhost/'.
Metadata:
Annotation: container.apparmor.security.beta.kubernetes.io/controller
AnnotationValue: unconfined
Container: controller
-- [error] RunAsNonRootCSCFalse
Message: runAsNonRoot is set to false in the container SecurityContext. Either set it to true or set runAsUser to a value > 0.
Metadata:
Container: controller
Note:spec.template.spec.containers.securityContext.runAsNonRoot: false is required for the Full Flexera Kubernetes Inventory Agent to operate - therefore the error RunAsNonRootCSCFalse is expected.
The Full Kubernetes Inventory Agent needs to be run with root access due to:
| • | The ndtrack module will not be able to correctly gather worker node hardware inventory |
| • | Other standard agent processes expect root permissions and may not operate correctly |
| • | ndtrack.sh cannot be executed as root when injected into containers and may not operate correctly. |
Note:spec.template.metadata.annotations.container.apparmor.security.beta.kubernetes.io/controller: unconfined is required by default, but could be changed depending on the clusters security settings - see Restrict a Container's Access to Resources with AppArmor in the Kubernetes Online Documentation.