-
Bug
-
Resolution: Unresolved
-
Normal
-
compliance-operator-1.4.0
-
None
-
False
-
None
-
False
-
-
The rule ocp4-file-permissions-kube-controller-manager is contradicting itself. In the description of the rule is a command which can be used to correct the permission on the specified files. In the command, the permissions set are 0600 (rw-----). A little later is written that the permissions should be set to 0644 (-rw-rr-)
I have marked the places with ---> <---
~~~
oc get rules -n openshift-compliance -o yaml ocp4-file-permissions-kube-controller-manager
apiVersion: compliance.openshift.io/v1alpha1
checkType: Node
description: |-
To properly set the permissions of /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml , run the command:
---> $ sudo chmod 0600 /etc/kubernetes/static-pod-resources/kube-controller-manager-pod*/kube-controller-manager-pod.yaml <----
id: xccdf_org.ssgproject.content_rule_file_permissions_kube_controller_manager
instructions: |-
To check the permissions of /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml,
you'll need to log into a node in the cluster.
As a user with administrator privileges, log into a node in the relevant pool:
$ oc debug node/$NODE_NAME
At the sh-4.4# prompt, run:
- chroot /host
~~~
We need to remove this contradicting statement from the RULE.
Then,run the command:
$ ls l /etc/kubernetes/static-pod-resources/kube-controller-manager-pod*/kube-controller-manager-pod.yaml
----> If properly configured, the output should indicate the following permissions:
rw-rr- <----