Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-14323

Change static manifest pod files permissions to 0600 to conform with CIS benchmarks

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done-Errata
    • Normal
    • 4.14.0
    • 4.14.0
    • kube-scheduler
    • No
    • False
    • Hide

      None

      Show
      None

    Description

      Refer to the CIS RedHat OpenShift Container Platform Benchmark PDF: https://drive.google.com/file/d/12o6O-M2lqz__BgmtBrfeJu1GA2SJ352c/view
      1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Manual)
      ======================================================================================================
      As per CIS v1.3 PDF permissions should be 600 with the following statement:
      "The pod specification file is created on control plane nodes at /etc/kubernetes/manifests/etcd-member.yaml with permissions 644. Verify that the permissions are 600 or more restrictive."
      But when I ran the following command it was showing 644 permissions

      for i in $(oc get pods -n openshift-etcd -l app=etcd -o name | grep etcd )
do
echo "check pod $i"
oc rsh -n openshift-etcd $i \
stat -c %a /etc/kubernetes/manifests/etcd-pod.yaml
done

      Attachments

        Activity

          People

            jchaloup@redhat.com Jan Chaloupka
            jchaloup@redhat.com Jan Chaloupka
            Rama Kasturi Narra Rama Kasturi Narra
            Votes:
            1 Vote for this issue
            Watchers:
            15 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: