Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

host-scanner is stuck when scanning Talos based clusters #42

Open
alegrey91 opened this issue Apr 26, 2023 · 0 comments
Open

host-scanner is stuck when scanning Talos based clusters #42

alegrey91 opened this issue Apr 26, 2023 · 0 comments
Labels
bug Something isn't working

Comments

@alegrey91
Copy link
Collaborator

Description

Execution of host-scanner is stuck when scanning Talos based clusters.

Environment

OS: Talos Linux
Version: v1.4.0
Kubernetes version: v1.26.3

Steps To Reproduce

Steps to reproduce the behavior:

  1. Run the following command kubescape scan framework cis-v1.23-t1.0.1 --enable-host-scan against a talos based kubernetes cluster. At this point we should be stuck from kubescape output with this log:
[info] Kubescape scanner starting
[debug] Kubescape Cloud URLs. api: api.armosec.io; auth: auth.armosec.io; report: report.armo.cloud; UI: cloud.armosec.io
[info] Installing host scanner
[debug] The host scanner is a DaemonSet that runs on each node in the cluster. The DaemonSet will be running in it's own namespace and will be deleted once the scan is completed. If you do not wish to install the host scanner, please run the scan without the --enable-host-scan flag.
[info] Downloading/Loading policy definitions
Downloading framework. framework: cis-v1.23-t1.0.1
[success] Downloaded/Loaded policy
[info] Accessing Kubernetes objects
[success] Accessed to Kubernetes objects
[info] Requesting Host scanner data
[debug] Collecting host scanner resources
[debug] Accessing host scanner
[info] Host scanner version : v1.0.54
  1. Run the following one-liner for i in controlplaneinfo cniinfo kernelversion kubeletinfo kubeproxyinfo cloudproviderinfo osrelease openedports linuxsecurityhardening version; do echo $i && wget -qO- http://localhost:7888/$i; done.
  2. Check for logs:
{"level":"info","ts":"2023-04-26T14:19:55Z","msg":"Listening...","port":7888}
{"level":"warn","ts":"2023-04-26T14:50:46Z","msg":"failed to MakeHostFileInfo","path":"/etc/kubernetes/manifests/kube-apiserver.yaml","error":"stat /host_fs/etc/kubernetes/manifests/kube-apiserver.yaml: no such file or directory","in":"makeProcessInfoVerbose","path":"/etc/kubernetes/manifests/kube-apiserver.yaml"}
{"level":"warn","ts":"2023-04-26T14:50:47Z","msg":"failed to MakeHostFileInfo","path":"/etc/kubernetes/manifests/kube-controller-manager.yaml","error":"stat /host_fs/etc/kubernetes/manifests/kube-controller-manager.yaml: no such file or directory","in":"makeProcessInfoVerbose","path":"/etc/kubernetes/manifests/kube-controller-manager.yaml"}
{"level":"warn","ts":"2023-04-26T14:50:47Z","msg":"failed to MakeHostFileInfo","path":"/etc/kubernetes/controller-manager.conf","error":"stat /host_fs/etc/kubernetes/controller-manager.conf: no such file or directory","in":"makeProcessInfoVerbose","path":"/etc/kubernetes/controller-manager.conf"}
{"level":"warn","ts":"2023-04-26T14:50:48Z","msg":"failed to MakeHostFileInfo","path":"/etc/kubernetes/manifests/kube-scheduler.yaml","error":"stat /host_fs/etc/kubernetes/manifests/kube-scheduler.yaml: no such file or directory","in":"makeProcessInfoVerbose","path":"/etc/kubernetes/manifests/kube-scheduler.yaml"}
{"level":"warn","ts":"2023-04-26T14:50:48Z","msg":"failed to MakeHostFileInfo","path":"/etc/kubernetes/scheduler.conf","error":"stat /host_fs/etc/kubernetes/scheduler.conf: no such file or directory","in":"makeProcessInfoVerbose","path":"/etc/kubernetes/scheduler.conf"}
{"level":"warn","ts":"2023-04-26T14:50:48Z","msg":"failed to MakeHostFileInfo","path":"/etc/kubernetes/manifests/etcd.yaml","error":"stat /host_fs/etc/kubernetes/manifests/etcd.yaml: no such file or directory","in":"SenseControlPlaneInfo","component":"EtcdConfigFile"}
{"level":"warn","ts":"2023-04-26T14:50:48Z","msg":"failed to MakeHostFileInfo","path":"/etc/kubernetes/admin.conf","error":"stat /host_fs/etc/kubernetes/admin.conf: no such file or directory","in":"SenseControlPlaneInfo","component":"AdminConfigFile"}
{"level":"warn","ts":"2023-04-26T14:50:48Z","msg":"MakeHostFileInfo","error":"open /host_fs/etc/passwd: no such file or directory"}
{"level":"warn","ts":"2023-04-26T14:50:48Z","msg":"MakeHostFileInfo","error":"open /host_fs/etc/group: no such file or directory"}
{"level":"warn","ts":"2023-04-26T14:50:48Z","msg":"MakeHostFileInfo","error":"open /host_fs/etc/passwd: no such file or directory"}
{"level":"warn","ts":"2023-04-26T14:50:48Z","msg":"MakeHostFileInfo","error":"open /host_fs/etc/group: no such file or directory"}
{"level":"warn","ts":"2023-04-26T14:50:48Z","msg":"MakeHostFileInfo","error":"open /host_fs/etc/passwd: no such file or directory"}
{"level":"warn","ts":"2023-04-26T14:50:48Z","msg":"MakeHostFileInfo","error":"open /host_fs/etc/group: no such file or directory"}
{"level":"warn","ts":"2023-04-26T14:50:51Z","msg":"getCNIConfigDirFromConfig- Failed to Call ReadDir","configDirPath":"/host_fs/etc/containerd/containerd.conf.d","error":"open /host_fs/etc/containerd/containerd.conf.d: no such file or directory"}
{"level":"warn","ts":"2023-04-26T14:50:51Z","msg":"MakeHostFileInfo","error":"open /host_fs/etc/passwd: no such file or directory"}
{"level":"warn","ts":"2023-04-26T14:50:51Z","msg":"MakeHostFileInfo","error":"open /host_fs/etc/group: no such file or directory"}
{"level":"warn","ts":"2023-04-26T14:50:51Z","msg":"MakeHostFileInfo","error":"open /host_fs/etc/passwd: no such file or directory"}
{"level":"warn","ts":"2023-04-26T14:50:51Z","msg":"MakeHostFileInfo","error":"open /host_fs/etc/group: no such file or directory"}
{"level":"warn","ts":"2023-04-26T14:50:51Z","msg":"MakeHostFileInfo","error":"open /host_fs/etc/passwd: no such file or directory"}
{"level":"warn","ts":"2023-04-26T14:50:51Z","msg":"MakeHostFileInfo","error":"open /host_fs/etc/group: no such file or directory"}
{"level":"warn","ts":"2023-04-26T14:50:52Z","msg":"getCNIName- Failed to locate process for cni","cni name":"aws","error":"no process with given suffix found"}
{"level":"warn","ts":"2023-04-26T14:50:54Z","msg":"getCNIName- Failed to locate process for cni","cni name":"Flannel","error":"no process with given suffix found"}
{"level":"warn","ts":"2023-04-26T14:50:55Z","msg":"getCNIName- Failed to locate process for cni","cni name":"Cilium","error":"no process with given suffix found"}
{"level":"warn","ts":"2023-04-26T14:50:57Z","msg":"getCNIName- Failed to locate process for cni","cni name":"WeaveNet","error":"no process with given suffix found"}
{"level":"warn","ts":"2023-04-26T14:50:58Z","msg":"getCNIName- Failed to locate process for cni","cni name":"Kindnet","error":"no process with given suffix found"}
{"level":"warn","ts":"2023-04-26T14:50:59Z","msg":"getCNIName- Failed to locate process for cni","cni name":"Multus","error":"no process with given suffix found"}

Expected behavior

host-scanner should be able to read information from the OS.

Actual Behavior

host-scanner is unable to retrieve data from /kubeletinfo endpoint.

Additional context

Thanks to @bnason for reporting the bug. We had a conversation on slack here: https://cloud-native.slack.com/archives/C04EY3ZF9GE/p1682517113961639
@alegrey91 alegrey91 added the bug Something isn't working label Apr 26, 2023
@matthyx matthyx moved this to Triage in Kubescaping Aug 18, 2024
@matthyx matthyx moved this from Triage to Accepted in Kubescaping Sep 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Kubescaping
Status: Accepted
Milestone
No milestone
Development

No branches or pull requests
1 participant
@alegrey91