Skip to main content

Using Kubeaudit to audit Kubernetes clusters

The Kubeaudit command line tool allows you to audit Kubernetes clusters for various security concerns.

Kubeaudit produces results with three levels of severity:

  • Error —A security issue or invalid Kubernetes configuration.

  • Warning —A best practice recommendation.

  • Info —Informational, no action required. This includes results that are overridden.

For more information on all the Kubeaudit command line options and usage options, see the Kubeaudit documentation available on the GitHub Shopify/Kubeaudit repository.

Run Kubeaudit as per the code block below to examine your Full Flexera Kubernetes Inventory Agent's ./config/controller/deployment.yaml file.

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    krm.flexera.com/component: controller
  name: krm-controller
spec:
  replicas: 1
  selector:
    matchLabels:
      krm.flexera.com/component: controller
  template:
    metadata:
      labels:
        krm.flexera.com/component: controller
      annotations:
        container.apparmor.security.beta.kubernetes.io/controller: unconfined
    spec:
      serviceAccountName: controller
      containers:
        - name: controller
          args:
            - controller
          image: public.ecr.aws/flexera/krm:1.7.2
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          resources:
            requests:
              memory: "128Mi"
              cpu: "250m"
            limits:
              memory: "512Mi"
              cpu: "500m"
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: false
      securityContext:
        seccompProfile:
          type: RuntimeDefault
  strategy: {}

Warnings and errors

Using Kubeaudit with the following parameters will report errors and warnings that could be addressed: $ kubeaudit all -f ./config/controller/deployment.yaml

Currently the following warning and errors exist for the Full Flexera Kubernetes Inventory Agent:

[WARNING]: kubernetes.io for override labels will soon be deprecated. Please, update them to use kubeaudit.io instead.
---------------- Results for ---------------
apiVersion: apps/v1
kind: Deployment
metadata:
name: krm-controller
--------------------------------------------
-- [error] AppArmorDisabled
Message: AppArmor is disabled. The apparmor annotation should be set to 'runtime/default' or start with 'localhost/'.
Metadata:
Annotation: container.apparmor.security.beta.kubernetes.io/controller
AnnotationValue: unconfined
Container: controller
 
-- [error] RunAsNonRootCSCFalse
Message: runAsNonRoot is set to false in the container SecurityContext. Either set it to true or set runAsUser to a value > 0.
Metadata:
Container: controller
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    krm.flexera.com/component: controller
  name: krm-controller
spec:
  replicas: 1
  selector:
    matchLabels:
      krm.flexera.com/component: controller
  template:
    metadata:
      labels:
        krm.flexera.com/component: controller
      annotations:
        container.apparmor.security.beta.kubernetes.io/controller: unconfined
    spec:
      serviceAccountName: controller
      containers:
        - name: controller
          args:
            - controller
          image: public.ecr.aws/flexera/krm:1.7.2
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          resources:
            requests:
              memory: "128Mi"
              cpu: "250m"
            limits:
              memory: "512Mi"
              cpu: "500m"
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: false
      securityContext:
        seccompProfile:
          type: RuntimeDefault
  strategy: {}
note

spec.template.spec.containers.securityContext.runAsNonRoot: false is required for the Full Flexera Kubernetes Inventory Agent to operate - therefore the error RunAsNonRootCSCFalse is expected.

The Full Kubernetes Inventory Agent needs to be run with root access due to:

  • The ndtrack module will not be able to correctly gather worker node hardware inventory

  • Other standard agent processes expect root permissions and may not operate correctly

  • ndtrack.sh cannot be executed as root when injected into containers and may not operate correctly.

note

spec.template.metadata.annotations.container.apparmor.security.beta.kubernetes.io/controller: unconfined is required by default, but could be changed depending on the clusters security settings - see Restrict a Container's Access to Resources with AppArmor in the Kubernetes Online Documentation.