Skip to content

host-scanner is stuck when scanning Talos based clusters #42

New issue
New issue
Open
Open
host-scanner is stuck when scanning Talos based clusters#42
Labels
bugSomething isn't working
@alegrey91

Description

@alegrey91
alegrey91
opened on Apr 26, 2023

Description

Execution of host-scanner is stuck when scanning Talos based clusters.

Environment

OS: Talos Linux
Version: v1.4.0
Kubernetes version: v1.26.3

Steps To Reproduce

Steps to reproduce the behavior:

  1. Run the following command kubescape scan framework cis-v1.23-t1.0.1 --enable-host-scan against a talos based kubernetes cluster. At this point we should be stuck from kubescape output with this log:
[info] Kubescape scanner starting
[debug] Kubescape Cloud URLs. api: api.armosec.io; auth: auth.armosec.io; report: report.armo.cloud; UI: cloud.armosec.io
[info] Installing host scanner
[debug] The host scanner is a DaemonSet that runs on each node in the cluster. The DaemonSet will be running in it's own namespace and will be deleted once the scan is completed. If you do not wish to install the host scanner, please run the scan without the --enable-host-scan flag.
[info] Downloading/Loading policy definitions
Downloading framework. framework: cis-v1.23-t1.0.1
[success] Downloaded/Loaded policy
[info] Accessing Kubernetes objects
[success] Accessed to Kubernetes objects
[info] Requesting Host scanner data
[debug] Collecting host scanner resources
[debug] Accessing host scanner
[info] Host scanner version : v1.0.54
  1. Run the following one-liner for i in controlplaneinfo cniinfo kernelversion kubeletinfo kubeproxyinfo cloudproviderinfo osrelease openedports linuxsecurityhardening version; do echo $i && wget -qO- http://localhost:7888/$i; done.
  2. Check for logs:
{"level":"info","ts":"2023-04-26T14:19:55Z","msg":"Listening...","port":7888}
{"level":"warn","ts":"2023-04-26T14:50:46Z","msg":"failed to MakeHostFileInfo","path":"/etc/kubernetes/manifests/kube-apiserver.yaml","error":"stat /host_fs/etc/kubernetes/manifests/kube-apiserver.yaml: no such file or directory","in":"makeProcessInfoVerbose","path":"/etc/kubernetes/manifests/kube-apiserver.yaml"}
{"level":"warn","ts":"2023-04-26T14:50:47Z","msg":"failed to MakeHostFileInfo","path":"/etc/kubernetes/manifests/kube-controller-manager.yaml","error":"stat /host_fs/etc/kubernetes/manifests/kube-controller-manager.yaml: no such file or directory","in":"makeProcessInfoVerbose","path":"/etc/kubernetes/manifests/kube-controller-manager.yaml"}
{"level":"warn","ts":"2023-04-26T14:50:47Z","msg":"failed to MakeHostFileInfo","path":"/etc/kubernetes/controller-manager.conf","error":"stat /host_fs/etc/kubernetes/controller-manager.conf: no such file or directory","in":"makeProcessInfoVerbose","path":"/etc/kubernetes/controller-manager.conf"}
{"level":"warn","ts":"2023-04-26T14:50:48Z","msg":"failed to MakeHostFileInfo","path":"/etc/kubernetes/manifests/kube-scheduler.yaml","error":"stat /host_fs/etc/kubernetes/manifests/kube-scheduler.yaml: no such file or directory","in":"makeProcessInfoVerbose","path":"/etc/kubernetes/manifests/kube-scheduler.yaml"}
{"level":"warn","ts":"2023-04-26T14:50:48Z","msg":"failed to MakeHostFileInfo","path":"/etc/kubernetes/scheduler.conf","error":"stat /host_fs/etc/kubernetes/scheduler.conf: no such file or directory","in":"makeProcessInfoVerbose","path":"/etc/kubernetes/scheduler.conf"}
{"level":"warn","ts":"2023-04-26T14:50:48Z","msg":"failed to MakeHostFileInfo","path":"/etc/kubernetes/manifests/etcd.yaml","error":"stat /host_fs/etc/kubernetes/manifests/etcd.yaml: no such file or directory","in":"SenseControlPlaneInfo","component":"EtcdConfigFile"}
{"level":"warn","ts":"2023-04-26T14:50:48Z","msg":"failed to MakeHostFileInfo","path":"/etc/kubernetes/admin.conf","error":"stat /host_fs/etc/kubernetes/admin.conf: no such file or directory","in":"SenseControlPlaneInfo","component":"AdminConfigFile"}
{"level":"warn","ts":"2023-04-26T14:50:48Z","msg":"MakeHostFileInfo","error":"open /host_fs/etc/passwd: no such file or directory"}
{"level":"warn","ts":"2023-04-26T14:50:48Z","msg":"MakeHostFileInfo","error":"open /host_fs/etc/group: no such file or directory"}
{"level":"warn","ts":"2023-04-26T14:50:48Z","msg":"MakeHostFileInfo","error":"open /host_fs/etc/passwd: no such file or directory"}
{"level":"warn","ts":"2023-04-26T14:50:48Z","msg":"MakeHostFileInfo","error":"open /host_fs/etc/group: no such file or directory"}
{"level":"warn","ts":"2023-04-26T14:50:48Z","msg":"MakeHostFileInfo","error":"open /host_fs/etc/passwd: no such file or directory"}
{"level":"warn","ts":"2023-04-26T14:50:48Z","msg":"MakeHostFileInfo","error":"open /host_fs/etc/group: no such file or directory"}
{"level":"warn","ts":"2023-04-26T14:50:51Z","msg":"getCNIConfigDirFromConfig- Failed to Call ReadDir","configDirPath":"/host_fs/etc/containerd/containerd.conf.d","error":"open /host_fs/etc/containerd/containerd.conf.d: no such file or directory"}
{"level":"warn","ts":"2023-04-26T14:50:51Z","msg":"MakeHostFileInfo","error":"open /host_fs/etc/passwd: no such file or directory"}
{"level":"warn","ts":"2023-04-26T14:50:51Z","msg":"MakeHostFileInfo","error":"open /host_fs/etc/group: no such file or directory"}
{"level":"warn","ts":"2023-04-26T14:50:51Z","msg":"MakeHostFileInfo","error":"open /host_fs/etc/passwd: no such file or directory"}
{"level":"warn","ts":"2023-04-26T14:50:51Z","msg":"MakeHostFileInfo","error":"open /host_fs/etc/group: no such file or directory"}
{"level":"warn","ts":"2023-04-26T14:50:51Z","msg":"MakeHostFileInfo","error":"open /host_fs/etc/passwd: no such file or directory"}
{"level":"warn","ts":"2023-04-26T14:50:51Z","msg":"MakeHostFileInfo","error":"open /host_fs/etc/group: no such file or directory"}
{"level":"warn","ts":"2023-04-26T14:50:52Z","msg":"getCNIName- Failed to locate process for cni","cni name":"aws","error":"no process with given suffix found"}
{"level":"warn","ts":"2023-04-26T14:50:54Z","msg":"getCNIName- Failed to locate process for cni","cni name":"Flannel","error":"no process with given suffix found"}
{"level":"warn","ts":"2023-04-26T14:50:55Z","msg":"getCNIName- Failed to locate process for cni","cni name":"Cilium","error":"no process with given suffix found"}
{"level":"warn","ts":"2023-04-26T14:50:57Z","msg":"getCNIName- Failed to locate process for cni","cni name":"WeaveNet","error":"no process with given suffix found"}
{"level":"warn","ts":"2023-04-26T14:50:58Z","msg":"getCNIName- Failed to locate process for cni","cni name":"Kindnet","error":"no process with given suffix found"}
{"level":"warn","ts":"2023-04-26T14:50:59Z","msg":"getCNIName- Failed to locate process for cni","cni name":"Multus","error":"no process with given suffix found"}

Expected behavior

host-scanner should be able to read information from the OS.

Actual Behavior

host-scanner is unable to retrieve data from /kubeletinfo endpoint.

Additional context

Thanks to @bnason for reporting the bug. We had a conversation on slack here: https://cloud-native.slack.com/archives/C04EY3ZF9GE/p1682517113961639

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    Kubescaping

    • Status

      Accepted

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions