Using Kubeaudit to audit Kubernetes clusters
The Kubeaudit command line tool allows you to audit Kubernetes clusters for various security concerns.
- Error—A security issue or invalid Kubernetes configuration.
- Warning—A best practice recommendation.
- Info—Informational, no action required. This includes results that are overridden.
For more information on all the Kubeaudit command line options and usage options, see the Kubeaudit documentation available on the GitHub Shopify/Kubeaudit repository.
Run Kubeaudit as per the code block below to examine your Full Flexera Kubernetes Inventory Agent's
./config/controller/deployment.yaml
file.
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
krm.flexera.com/component: controller
name: krm-controller
spec:
replicas: 1
selector:
matchLabels:
krm.flexera.com/component: controller
template:
metadata:
labels:
krm.flexera.com/component: controller
annotations:
container.apparmor.security.beta.kubernetes.io/controller: unconfined
spec:
serviceAccountName: controller
containers:
- name: controller
args:
- controller
image: public.ecr.aws/flexera/krm:1.7.2
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
resources:
requests:
memory: "128Mi"
cpu: "250m"
limits:
memory: "512Mi"
cpu: "500m"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
securityContext:
seccompProfile:
type: RuntimeDefault
strategy: {}
Warnings and errors
Using Kubeaudit with the following parameters will report errors and warnings that
could be addressed: $ kubeaudit all -f
./config/controller/deployment.yaml
Currently the following warning and errors exist for the Full Flexera Kubernetes Inventory Agent:
[WARNING]: kubernetes.io for override labels will soon be deprecated. Please, update them to use kubeaudit.io instead.
---------------- Results for ---------------
apiVersion: apps/v1
kind: Deployment
metadata:
name: krm-controller
--------------------------------------------
-- [error] AppArmorDisabled
Message: AppArmor is disabled. The apparmor annotation should be set to 'runtime/default' or start with 'localhost/'.
Metadata:
Annotation: container.apparmor.security.beta.kubernetes.io/controller
AnnotationValue: unconfined
Container: controller
-- [error] RunAsNonRootCSCFalse
Message: runAsNonRoot is set to false in the container SecurityContext. Either set it to true or set runAsUser to a value > 0.
Metadata:
Container: controller
spec.template.spec.containers.securityContext.runAsNonRoot: false
is required for the Full Flexera Kubernetes Inventory Agent to operate - therefore the error
RunAsNonRootCSCFalse
is expected.- The
ndtrack
module will not be able to correctly gather worker node hardware inventory - Other standard agent processes expect root permissions and may not operate correctly
ndtrack.sh
cannot be executed as root when injected into containers and may not operate correctly.
spec.template.metadata.annotations.container.apparmor.security.beta.kubernetes.io/controller:
unconfined
is required by default, but could be changed depending on
the clusters security settings - see Restrict a Container's Access to Resources with AppArmor
in the Kubernetes Online Documentation.IT Asset Management (Cloud)
Current