You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- id: 5.1.5
text: "Ensure that default service accounts are not actively used. (Automated)"
audit: |
kubectl get serviceaccount --all-namespaces --field-selector metadata.name=default -o=json | jq -r '.items[] | " namespace: \(.metadata.namespace), kind: \(.kind), name: \(.metadata.name), automountServiceAccountToken: \(.automountServiceAccountToken | if . == null then "notset" else . end )"' | xargs -L 1
use_multiple_values: true
tests:
test_items:
- flag: "automountServiceAccountToken"
compare:
op: eq
value: false
set: true
remediation: |
Create explicit service accounts wherever a Kubernetes workload requires specific access
to the Kubernetes API server.
Modify the configuration of each default service account to include this value
`automountServiceAccountToken: false`.
scored: true
The audit script failed to run as the version of xargs contain unrecognizing option L.
How did you run kube-bench?
I'm running kube-bench inside a pod using the job.yaml.
command used: kube-bench --json --check=5.1.5
What happened?
The audit script return error with the following reason:
failed to run: "kubectl get serviceaccount --all-namespaces --field-selector metadata.name=default -o=json | jq -r '.items[] | \" namespace: \\(.metadata.namespace), kind: \\(.kind), name: \\(.metadata.name), automountServiceAccountToken: \\(.automountServiceAccountToken | if . == null then \"notset\" else . end )\"' | xargs -L 1", output: "xargs: unrecognized option: L
BusyBox v1.36.1 (2024-06-10 07:11:47 UTC) multi-call binary.
Usage: xargs [OPTIONS] [PROG ARGS]
Run PROG on every item given by stdin
-0 NUL terminated input
-a FILE Read from FILE instead of stdin
-o Reopen stdin as /dev/tty
-r Don't run command if input is empty
-t Print the command on stderr before execution
-p Ask user whether to run each command
-E STR,-e[STR] STR stops input processing
-I STR Replace STR within PROG ARGS with input line
-n N Pass no more than N args to PROG
-s N Pass command line of no more than N bytes
-P N Run up to N PROGs in parallel
-x Exit if size is exceeded
", error: exit status 1
Here is log from the pod in json format.
{
"Controls": [
{
"id": "4",
"version": "cis-1.9",
"detected_version": "1.27",
"text": "Worker Node Security Configuration",
"node_type": "node",
"tests": null,
"total_pass": 0,
"total_fail": 0,
"total_warn": 0,
"total_info": 0
},
{
"id": "5",
"version": "cis-1.9",
"detected_version": "1.27",
"text": "Kubernetes Policies",
"node_type": "policies",
"tests": [
{
"section": "5.1",
"type": "",
"pass": 0,
"fail": 1,
"warn": 0,
"info": 0,
"desc": "RBAC and Service Accounts",
"results": [
{
"test_number": "5.1.5",
"test_desc": "Ensure that default service accounts are not actively used. (Automated)",
"audit": "kubectl get serviceaccount --all-namespaces --field-selector metadata.name=default -o=json | jq -r '.items[] | \" namespace: \\(.metadata.namespace), kind: \\(.kind), name: \\(.metadata.name), automountServiceAccountToken: \\(.automountServiceAccountToken | if . == null then \"notset\" else . end )\"' | xargs -L 1\n",
"AuditEnv": "",
"AuditConfig": "",
"type": "",
"remediation": "Create explicit service accounts wherever a Kubernetes workload requires specific access\nto the Kubernetes API server.\nModify the configuration of each default service account to include this value\n`automountServiceAccountToken: false`.\n",
"test_info": [
"Create explicit service accounts wherever a Kubernetes workload requires specific access\nto the Kubernetes API server.\nModify the configuration of each default service account to include this value\n`automountServiceAccountToken: false`.\n"
],
"status": "FAIL",
"actual_value": "",
"scored": true,
"IsMultiple": true,
"expected_result": "",
"reason": "failed to run: \"kubectl get serviceaccount --all-namespaces --field-selector metadata.name=default -o=json | jq -r '.items[] | \\\" namespace: \\\\(.metadata.namespace), kind: \\\\(.kind), name: \\\\(.metadata.name), automountServiceAccountToken: \\\\(.automountServiceAccountToken | if . == null then \\\"notset\\\" else . end )\\\"' | xargs -L 1\", output: \"xargs: unrecognized option: L\nBusyBox v1.36.1 (2024-06-10 07:11:47 UTC) multi-call binary.\n\nUsage: xargs [OPTIONS] [PROG ARGS]\n\nRun PROG on every item given by stdin\n\n\t-0\tNUL terminated input\n\t-a FILE\tRead from FILE instead of stdin\n\t-o\tReopen stdin as /dev/tty\n\t-r\tDon't run command if input is empty\n\t-t\tPrint the command on stderr before execution\n\t-p\tAsk user whether to run each command\n\t-E STR,-e[STR]\tSTR stops input processing\n\t-I STR\tReplace STR within PROG ARGS with input line\n\t-n N\tPass no more than N args to PROG\n\t-s N\tPass command line of no more than N bytes\n\t-P N\tRun up to N PROGs in parallel\n\t-x\tExit if size is exceeded\n\", error: exit status 1"
}
]
}
],
"total_pass": 0,
"total_fail": 1,
"total_warn": 0,
"total_info": 0
}
],
"Totals": {
"total_pass": 0,
"total_fail": 1,
"total_warn": 0,
"total_info": 0
}
}
What did you expect to happen:
The audit script to run successfully as it did when run outside the pod.
Overview
The
auditscript failed to run as the version ofxargscontain unrecognizing optionL.How did you run kube-bench?
I'm running kube-bench inside a pod using the
job.yaml.command used:
kube-bench --json --check=5.1.5What happened?
The audit script return error with the following reason:
Here is log from the pod in
jsonformat.What did you expect to happen:
The
auditscript to run successfully as it did when run outside the pod.Environment
kube-bench version:
v1.8.0kubectl version:
v1.27.15Fix:
Need to update
Dockerfileline 24 to add packagefindutilsas shown below. This ensures that the GNU version ofxargsis available inside the pod,The text was updated successfully, but these errors were encountered: