Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with enabling cis-hardening addon #237

Open
LorenzoAstengo opened this issue Sep 26, 2023 · 5 comments
Open

Issue with enabling cis-hardening addon #237

LorenzoAstengo opened this issue Sep 26, 2023 · 5 comments

Comments

@LorenzoAstengo
Copy link

LorenzoAstengo commented Sep 26, 2023
edited
Loading

Summary

I need to enable cis-hardening addon in an air-gapped microk8s cluster. As stated in the documentation, I have to disable the kube-bench download by setting the --install-kubebench flag to false. However, it doesn't seem to recognize the flag, as it keeps trying to download kube-bench from GitHub and fails.

What Should Happen Instead?

It should skip the kube-bench download, allowing me to complete the addon installation in an air-gapped environment.

Reproduction Steps

I've tried all this types of flags, but I got the same result:
microk8s kubectl enable cis-hardening --install-kubebench false
microk8s kubectl enable cis-hardening --install-kubebench False
microk8s kubectl enable cis-hardening --install-kubebench=false
microk8s kubectl enable cis-hardening --install-kubebench=False

Everytime the code goes trought the DownloadKubebench function, as it prints out the "Downloading kube-bench" message and then crashes contacting the kube-bench url.

Can you suggest a fix?

It seems to be an issue with the Click library not correctly interpreting the flag.

Thank you!
@LorenzoAstengo
Copy link
Author

Hi,
Could someone help me?

Thanks.

@ktsakalozos
Copy link
Member

Hi @LorenzoAstengo applogies for the late reply, I missed it.

Thank you for reaching out and reporting this problem. This is a bug on the cis-hardening addon. Currently to skip the downloading kube-bench you need to do:

sudo microk8s.enable cis-hardening --install-kubebench=""

This issue has been fixed and in the next release 1.28.3 we will make sure the --install-kubebench="false" will also result in kubebench downloading being skipped. In the 1.29 release we will introduce a --skip-kubebench-installation flag for this purpose.

Apologies for the inconvenience.

@LorenzoAstengo
Copy link
Author

Hi @ktsakalozos ,
Thank you for the response. I'll ask you another question: is there any file/configuration that allows specifying which CIS points not to apply? At the moment, I've skipped certain points (such as the 'image pull always' that isn't applicable in an airgapped environment) and fixed the Kubebench download issue by modifying the addon files on my system. However, it would be more convenient to have a file where you can specify which points to skip.

Thank you!

@ktsakalozos
Copy link
Member

At this point there is no file to configure which CIS recommendations you want to apply and which ones to skip. The closest to that at this point would be to edit /var/snap/microk8s/common/addons/core/addons/cis-hardening/enable to match your needs. This file is a 440 lines of python code.

@rubel-ahammad
Copy link

rubel-ahammad commented Jan 13, 2024
edited
Loading

In Microk8s 1.28.3 following command works for me.

microk8s kubectl enable cis-hardening:--install-kubebench=false

Earlier following command worked for me, but it isn't working now with 1.28.3.

microk8s kubectl enable cis-hardening:--install-kubebench=''

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ktsakalozos @rubel-ahammad @LorenzoAstengo