Kubescape Operator - Controls that require visibility of the nodes are missing in report (e.g., Worker Configuration Files and Kubelet) for CIS framework

[AdonisOkpidi]

Description

Deployed the Kubescape operator Helm chart with all capabilities enabled in the Helm values.yaml, including nodeScan variable for GKE. However, no related controls checks for Worker Configuration Files and Kubelet were found in the workload reports indicating host scans was not possible/configured?

However, Using the CLI with --enable-host-scan scans all controls with no Action Required * in the output and successfully provides all findings. I understand this is now deprecated so I would like to know how to make this work using the operator.

Environment

• OS: Windows
• Kubescape Version: v3.0.18

Steps To Reproduce

1. Install the Kubescape operator with the following command:

   helm upgrade --install kubescape /helm-charts/charts/kubescape-operator \
     -n kubescape --create-namespace \
     --set clusterName=$(kubectl config current-context) \
     -f values.yaml

NB: Enable all capabilities in the Helm values.yaml, including nodeScan.

Expected behavior

1. Host-related controls (e.g., Worker Configuration Files and Kubelet) should appear in the reports generated by the operator when all capabilities, including nodeScan, are enabled.

2. Can you filter to scan for only the framework cis-v1.23-t1.0.1 in the operator?

Actual Behavior

No host-related controls are included in the reports when using the operator.
Running the CLI with --enable-host-scan does successfully include these findings.

Additional context

kubescape scan framework cis-v1.23-t1.0.1 --enable-host-scan --use-from regolibrary/offline/cis-v1.23-t1.0.1.json --verbose --controls-config regolibrary/controls-inputs.json

This command scans all controls, including host-related ones, because of the --enable-host-scan flag. However, this feature is deprecated, and findings are expected to be included in the operator's reports without relying on the CLI.

[matthyx]

good catch, thanks

[AdonisOkpidi]

@matthyx Can you confirm the following?

1. Timeline to resolve this bug?
2. What frameworks are scanned by default by the operator?
3. How to set the default framework used by the operator for GKE environment to cis-v1.23-t1.0.1 and cis-aks-t1.2.0 for AKS.

[Bezbran]

Hi @AdonisOkpidi, as for the host scan missing controls (point 1), in the initial scan of the operator it is not enabled, but for the recurring scans.
As for the point 2, in the initial scan it scans for "allcontrols", "nsa" and "mitre" frameworks and at recurring scans it scans all FWs.
As for point 3, one can tweak the configmap named "kubescape-scheduler" to something like the following (an example could be found here) to scan only specific framework(s).

{
    "commands": [
        {
            "CommandName": "kubescapeScan",
            "args": {
                "scanV1": {
                    "targetType": "framework",
                    "targetNames": [
                        "cis-v1.23-t1.0.1"
                    ]
                }
            }
        }
    ]
}

Please let us know if you have any other questions.

[AdonisOkpidi]

@Bezbran Thanks for the reply.

Regarding point 1, I will confirm this once I have been able to install as I am experiencing some issues.

Point 3, is it possible this is moved to be controlled by Values.yaml, the reason is Security team would manage the Values.yaml and the Engineering teams would install and upgrade from kubescape remote repository.

[Bezbran]

Hi @AdonisOkpidi , sure, let us know how is it going.

Regarding point 3, I understand your use case. It's possible to make it configurable and I opened a ticket for it.
We will assign someone to handle it soon.

[AdonisOkpidi]

Thanks a lot for this! @Bezbran

[AdonisOkpidi]

@Bezbran

QQ: You mentioned " the initial scan it scans for "allcontrols", "nsa" and "mitre" frameworks and at recurring scans it scans all FWs". So if kubescape was installed in GKE, would it scan using the AKS framework as well (cis-aks-t1.2.0) or would this framework be skipped and applied to only AKS environment?

[Bezbran]

Hi @AdonisOkpidi,
you can see here that this framework is marked as "AKS only" in the scanningScope section.
So it should be skipped for any non -AKS environment.

[AdonisOkpidi]

Oh okay! Thanks for confirming this would be skipped by default @Bezbran