Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

failed to output to ASFF: finding publish failed: not found, ResolveEndpointV2 #1595

Open
eravindar12 opened this issue Apr 7, 2024 · 6 comments

Comments

@eravindar12
Copy link

eravindar12 commented Apr 7, 2024

Overview

I am trying to integrate AWS security Hub and EKS , and I've come across the following issue. Would you happen to have any suggestions on how to resolve it? Your assistance would be greatly appreciated. Thank you!

Here are the details regarding the error encountered.

failed to output to ASFF: finding publish failed: not found, ResolveEndpointV2

How did you run kube-bench?

[Please specify exactly how you ran kube-bench, including details of command parameters and/or job file that you used to run it]

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kube-bench
  # If using a dedicated IAM role for kube-bench, uncomment the annotations
  # block below and replace the ROLE_ARN
  annotations:
    eks.amazonaws.com/role-arn: "arn:aws:iam::xxxxxx:role/kube-bench-xxx-scan-re"

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: kube-bench-eks-config
data:
  config.yaml: |
    AWS_ACCOUNT: "xxxxx"
    AWS_REGION: "us-east-1"
    CLUSTER_ARN: "arn:aws:eks:us-east-1:xxxxx:cluster/xxx-xxx-stage"
---
apiVersion: batch/v1
kind: Job
metadata:
  name: kube-bench
spec:
  template:
    spec:
      hostPID: true
      containers:
        - name: kube-bench
          # Push the image to your ECR and then refer to it here
          image: docker.io/aquasec/kube-bench:latest
          # image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
          # TBD - RE 
          # image: xxxxx.dkr.ecr.us-east-1.amazonaws.com/aquasec/kube-bench:latest
          command:
            [
              "kube-bench",
              "run",
              "--targets",
              "node",
              "--benchmark",
              "eks-1.2.0",
              "--asff",
            ]
          env:
            - name: NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          volumeMounts:
            - name: var-lib-kubelet
              mountPath: /var/lib/kubelet
              readOnly: true
            - name: etc-systemd
              mountPath: /etc/systemd
              readOnly: true
            - name: etc-kubernetes
              mountPath: /etc/kubernetes
              readOnly: true
            - name: kube-bench-eks-config
              mountPath: "/opt/kube-bench/cfg/eks-1.2.0/config.yaml"
              subPath: config.yaml
              readOnly: true
      restartPolicy: Never
      serviceAccountName: kube-bench
      volumes:
        - name: var-lib-kubelet
          hostPath:
            path: "/var/lib/kubelet"
        - name: etc-systemd
          hostPath:
            path: "/etc/systemd"
        - name: etc-kubernetes
          hostPath:
            path: "/etc/kubernetes"
        - name: kube-bench-eks-config
          configMap:
            name: kube-bench-eks-config
            items:
              - key: config.yaml
                path: config.yaml

What happened?

❯ k get po -n kube-bench
NAME               READY   STATUS   RESTARTS   AGE
kube-bench-g2lq2   0/1     Error    0          5m8s
kube-bench-m2tsw   0/1     Error    0          2m27s
❯ k describe po kube-bench-g2lq2 -n kube-bench
Name:             kube-bench-g2lq2
Namespace:        kube-bench
Priority:         0
Service Account:  kube-bench
Node:             ip-10-xx-xx-5.ec2.internal/10.xx.xx.x
Start Time:       Sun, 07 Apr 2024 12:32:53 -0500
Labels:           batch.kubernetes.io/controller-uid=bd049759-9938-47d2-b2ee-a02cc84cc1ea
                  batch.kubernetes.io/job-name=kube-bench
                  controller-uid=bd049759-9938-47d2-b2ee-a02cc84cc1ea
                  job-name=kube-bench
Annotations:      <none>
Status:           Failed
IP:               10.xx.xx.xxx
IPs:
  IP:           10.xx.xx.xxx
Controlled By:  Job/kube-bench
Containers:
  kube-bench:
    Container ID:  containerd://6d32baa3761533f37aa5a1017c7ebed7edc447cfbbc0b0226eb4a1a967f3659d
    Image:         docker.io/aquasec/kube-bench:latest
    Image ID:      docker.io/aquasec/kube-bench@sha256:1f91942f94a79c8298b06a562c74c17d43fcddb9159d82174485f8358ff3832b
    Port:          <none>
    Host Port:     <none>
    Command:
      kube-bench
      run
      --targets
      node
      --benchmark
      eks-1.2.0
      --asff
    State:          Terminated
      Reason:       Error
      Exit Code:    1
      Started:      Sun, 07 Apr 2024 12:32:53 -0500
      Finished:     Sun, 07 Apr 2024 12:32:54 -0500
    Ready:          False
    Restart Count:  0
    Environment:
      NODE_NAME:                     (v1:spec.nodeName)
      AWS_STS_REGIONAL_ENDPOINTS:   regional
      AWS_DEFAULT_REGION:           us-east-1
      AWS_REGION:                   us-east-1
      AWS_ROLE_ARN:                 arn:aws:iam::xxxxx:role/kube-bench-cis-scan-re
      AWS_WEB_IDENTITY_TOKEN_FILE:  /var/run/secrets/eks.amazonaws.com/serviceaccount/token
    Mounts:
      /etc/kubernetes from etc-kubernetes (ro)
      /etc/systemd from etc-systemd (ro)
      /opt/kube-bench/cfg/eks-1.2.0/config.yaml from kube-bench-eks-config (ro,path="config.yaml")
      /var/lib/kubelet from var-lib-kubelet (ro)
      /var/run/secrets/eks.amazonaws.com/serviceaccount from aws-iam-token (ro)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-zlqb5 (ro)
Conditions:
  Type                        Status
  PodReadyToStartContainers   False
  Initialized                 True
  Ready                       False
  ContainersReady             False
  PodScheduled                True
Volumes:
  aws-iam-token:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  86400
  var-lib-kubelet:
    Type:          HostPath (bare host directory volume)
    Path:          /var/lib/kubelet
    HostPathType:
  etc-systemd:
    Type:          HostPath (bare host directory volume)
    Path:          /etc/systemd
    HostPathType:
  etc-kubernetes:
    Type:          HostPath (bare host directory volume)
    Path:          /etc/kubernetes
    HostPathType:
  kube-bench-eks-config:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      kube-bench-eks-config
    Optional:  false
  kube-api-access-zlqb5:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type    Reason     Age    From               Message
  ----    ------     ----   ----               -------
  Normal  Scheduled  5m19s  default-scheduler  Successfully assigned kube-bench/kube-bench-g2lq2 to ip-xx-xx-xx-5.ec2.internal
  Normal  Pulling    5m19s  kubelet            Pulling image "docker.io/aquasec/kube-bench:latest"
  Normal  Pulled     5m19s  kubelet            Successfully pulled image "docker.io/aquasec/kube-bench:latest" in 125ms (125ms including waiting)
  Normal  Created    5m19s  kubelet            Created container kube-bench
  Normal  Started    5m19s  kubelet            Started container kube-bench

What did you expect to happen:

I'm expecting that the pods should run smoothly and push the results to AWS Security Hub without encountering these errors.

Environment

[What is your version of kube-bench? (run kube-bench version)]

latest -> v0.7.2

[What is your version of Kubernetes? (run kubectl version or oc version on OpenShift.)]
EKS 1.29

@codehopper-uk
Copy link

Any update on this? I'm experiencing the same error with the same setup:
failed to output to ASFF: finding publish failed: not found, ResolveEndpointV2

@harshvardhan1402
Copy link

facing the same error too, do we have any update on this?
Screenshot 2024-05-05 at 12 18 49 PM

@ShahbazRahmat
Copy link

Hi @harshvardhan1402,

I encountered the same issue while deploying Kube-bench with the latest version. The latest version has some bugs, though I am not sure of the specifics. However, I deployed version 6.19.0, and it is working for me.

You can download version 6.19.0 using the command below and follow the steps mentioned in the official documentation.

git clone https://github.com/aquasecurity/kube-bench.git --branch v0.6.19

@prafultamrakar
Copy link

git clone https://github.com/aquasecurity/kube-bench.git --branch v0.6.19
worked for me thanks @ShahbazRahmat

1 similar comment
@prafultamrakar
Copy link

git clone https://github.com/aquasecurity/kube-bench.git --branch v0.6.19
worked for me thanks @ShahbazRahmat

@w-reichert
Copy link
Contributor

I wonder if this issue will be fixed. In version v0.8.0 we still see the same error.

The root cause might be related to the aws-sdk-go packages as described here: aws/aws-sdk-go-v2#2370 (comment)

Thank you.

w-reichert added a commit to w-reichert/kube-bench that referenced this issue Sep 26, 2024
A breaking change was introduced in aws-sdk-go-v2.
See aws/aws-sdk-go-v2#2370 (comment).

Mixing aws-sdk-go-v2 packages from versions before and after the breaking change causes kube-bench to fail. This issue occurs when it attempts to access AWS Security Hub.

Addressed issue: aquasecurity#1595

Supersedes bot PR: aquasecurity#1689
Besides upgrading to latest SDK version, some variable types need to be adapted.
afdesk pushed a commit that referenced this issue Sep 28, 2024
A breaking change was introduced in aws-sdk-go-v2.
See aws/aws-sdk-go-v2#2370 (comment).

Mixing aws-sdk-go-v2 packages from versions before and after the breaking change causes kube-bench to fail. This issue occurs when it attempts to access AWS Security Hub.

Addressed issue: #1595

Supersedes bot PR: #1689
Besides upgrading to latest SDK version, some variable types need to be adapted.
deebhatia pushed a commit to VoerEirAB/kube-bench that referenced this issue Oct 14, 2024
A breaking change was introduced in aws-sdk-go-v2.
See aws/aws-sdk-go-v2#2370 (comment).

Mixing aws-sdk-go-v2 packages from versions before and after the breaking change causes kube-bench to fail. This issue occurs when it attempts to access AWS Security Hub.

Addressed issue: aquasecurity#1595

Supersedes bot PR: aquasecurity#1689
Besides upgrading to latest SDK version, some variable types need to be adapted.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants