failed to output to ASFF: finding publish failed: not found, ResolveEndpointV2 #1595
Description
Overview
I am trying to integrate AWS security Hub and EKS , and I've come across the following issue. Would you happen to have any suggestions on how to resolve it? Your assistance would be greatly appreciated. Thank you!
Here are the details regarding the error encountered.
failed to output to ASFF: finding publish failed: not found, ResolveEndpointV2
How did you run kube-bench?
[Please specify exactly how you ran kube-bench, including details of command parameters and/or job file that you used to run it]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kube-bench
# If using a dedicated IAM role for kube-bench, uncomment the annotations
# block below and replace the ROLE_ARN
annotations:
eks.amazonaws.com/role-arn: "arn:aws:iam::xxxxxx:role/kube-bench-xxx-scan-re"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: kube-bench-eks-config
data:
config.yaml: |
AWS_ACCOUNT: "xxxxx"
AWS_REGION: "us-east-1"
CLUSTER_ARN: "arn:aws:eks:us-east-1:xxxxx:cluster/xxx-xxx-stage"
---
apiVersion: batch/v1
kind: Job
metadata:
name: kube-bench
spec:
template:
spec:
hostPID: true
containers:
- name: kube-bench
# Push the image to your ECR and then refer to it here
image: docker.io/aquasec/kube-bench:latest
# image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
# TBD - RE
# image: xxxxx.dkr.ecr.us-east-1.amazonaws.com/aquasec/kube-bench:latest
command:
[
"kube-bench",
"run",
"--targets",
"node",
"--benchmark",
"eks-1.2.0",
"--asff",
]
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
readOnly: true
- name: etc-systemd
mountPath: /etc/systemd
readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
readOnly: true
- name: kube-bench-eks-config
mountPath: "/opt/kube-bench/cfg/eks-1.2.0/config.yaml"
subPath: config.yaml
readOnly: true
restartPolicy: Never
serviceAccountName: kube-bench
volumes:
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
- name: etc-systemd
hostPath:
path: "/etc/systemd"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"
- name: kube-bench-eks-config
configMap:
name: kube-bench-eks-config
items:
- key: config.yaml
path: config.yaml
What happened?
❯ k get po -n kube-bench
NAME READY STATUS RESTARTS AGE
kube-bench-g2lq2 0/1 Error 0 5m8s
kube-bench-m2tsw 0/1 Error 0 2m27s
❯ k describe po kube-bench-g2lq2 -n kube-bench
Name: kube-bench-g2lq2
Namespace: kube-bench
Priority: 0
Service Account: kube-bench
Node: ip-10-xx-xx-5.ec2.internal/10.xx.xx.x
Start Time: Sun, 07 Apr 2024 12:32:53 -0500
Labels: batch.kubernetes.io/controller-uid=bd049759-9938-47d2-b2ee-a02cc84cc1ea
batch.kubernetes.io/job-name=kube-bench
controller-uid=bd049759-9938-47d2-b2ee-a02cc84cc1ea
job-name=kube-bench
Annotations: <none>
Status: Failed
IP: 10.xx.xx.xxx
IPs:
IP: 10.xx.xx.xxx
Controlled By: Job/kube-bench
Containers:
kube-bench:
Container ID: containerd://6d32baa3761533f37aa5a1017c7ebed7edc447cfbbc0b0226eb4a1a967f3659d
Image: docker.io/aquasec/kube-bench:latest
Image ID: docker.io/aquasec/kube-bench@sha256:1f91942f94a79c8298b06a562c74c17d43fcddb9159d82174485f8358ff3832b
Port: <none>
Host Port: <none>
Command:
kube-bench
run
--targets
node
--benchmark
eks-1.2.0
--asff
State: Terminated
Reason: Error
Exit Code: 1
Started: Sun, 07 Apr 2024 12:32:53 -0500
Finished: Sun, 07 Apr 2024 12:32:54 -0500
Ready: False
Restart Count: 0
Environment:
NODE_NAME: (v1:spec.nodeName)
AWS_STS_REGIONAL_ENDPOINTS: regional
AWS_DEFAULT_REGION: us-east-1
AWS_REGION: us-east-1
AWS_ROLE_ARN: arn:aws:iam::xxxxx:role/kube-bench-cis-scan-re
AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
Mounts:
/etc/kubernetes from etc-kubernetes (ro)
/etc/systemd from etc-systemd (ro)
/opt/kube-bench/cfg/eks-1.2.0/config.yaml from kube-bench-eks-config (ro,path="config.yaml")
/var/lib/kubelet from var-lib-kubelet (ro)
/var/run/secrets/eks.amazonaws.com/serviceaccount from aws-iam-token (ro)
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-zlqb5 (ro)
Conditions:
Type Status
PodReadyToStartContainers False
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
aws-iam-token:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 86400
var-lib-kubelet:
Type: HostPath (bare host directory volume)
Path: /var/lib/kubelet
HostPathType:
etc-systemd:
Type: HostPath (bare host directory volume)
Path: /etc/systemd
HostPathType:
etc-kubernetes:
Type: HostPath (bare host directory volume)
Path: /etc/kubernetes
HostPathType:
kube-bench-eks-config:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: kube-bench-eks-config
Optional: false
kube-api-access-zlqb5:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 5m19s default-scheduler Successfully assigned kube-bench/kube-bench-g2lq2 to ip-xx-xx-xx-5.ec2.internal
Normal Pulling 5m19s kubelet Pulling image "docker.io/aquasec/kube-bench:latest"
Normal Pulled 5m19s kubelet Successfully pulled image "docker.io/aquasec/kube-bench:latest" in 125ms (125ms including waiting)
Normal Created 5m19s kubelet Created container kube-bench
Normal Started 5m19s kubelet Started container kube-bench
What did you expect to happen:
I'm expecting that the pods should run smoothly and push the results to AWS Security Hub without encountering these errors.
Environment
[What is your version of kube-bench? (run kube-bench version
)]
latest -> v0.7.2
[What is your version of Kubernetes? (run kubectl version
or oc version
on OpenShift.)]
EKS 1.29
Activity
codehopper-uk commentedon May 3, 2024
Any update on this? I'm experiencing the same error with the same setup:
failed to output to ASFF: finding publish failed: not found, ResolveEndpointV2
harshvardhan1402 commentedon May 5, 2024
facing the same error too, do we have any update on this?
ShahbazRahmat commentedon May 28, 2024
Hi @harshvardhan1402,
I encountered the same issue while deploying Kube-bench with the latest version. The latest version has some bugs, though I am not sure of the specifics. However, I deployed version 6.19.0, and it is working for me.
You can download version 6.19.0 using the command below and follow the steps mentioned in the official documentation.
git clone https://github.com/aquasecurity/kube-bench.git --branch v0.6.19
prafultamrakar commentedon Aug 12, 2024
git clone https://github.com/aquasecurity/kube-bench.git --branch v0.6.19
worked for me thanks @ShahbazRahmat
prafultamrakar commentedon Aug 12, 2024
git clone https://github.com/aquasecurity/kube-bench.git --branch v0.6.19
worked for me thanks @ShahbazRahmat
w-reichert commentedon Aug 19, 2024
I wonder if this issue will be fixed. In version v0.8.0 we still see the same error.
The root cause might be related to the aws-sdk-go packages as described here: aws/aws-sdk-go-v2#2370 (comment)
Thank you.
Fix issue 1595: failed to output to ASFF
Fix issue 1595: failed to output to ASFF (#1691)
Fix issue 1595: failed to output to ASFF (aquasecurity#1691)