Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-14323

Change static manifest pod files permissions to 0600 to conform with CIS benchmarks

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • 4.14.0
    • 4.14.0
    • kube-scheduler
    • No
    • False
    • Hide

      None

      Show
      None

      Refer to the CIS RedHat OpenShift Container Platform Benchmark PDF: https://drive.google.com/file/d/12o6O-M2lqz__BgmtBrfeJu1GA2SJ352c/view
      1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Manual)
      ======================================================================================================
      As per CIS v1.3 PDF permissions should be 600 with the following statement:
      "The pod specification file is created on control plane nodes at /etc/kubernetes/manifests/etcd-member.yaml with permissions 644. Verify that the permissions are 600 or more restrictive."
      But when I ran the following command it was showing 644 permissions

      for i in $(oc get pods -n openshift-etcd -l app=etcd -o name | grep etcd )
do
echo "check pod $i"
oc rsh -n openshift-etcd $i \
stat -c %a /etc/kubernetes/manifests/etcd-pod.yaml
done

              jchaloup@redhat.com Jan Chaloupka
              jchaloup@redhat.com Jan Chaloupka
              Rama Kasturi Narra Rama Kasturi Narra
              Votes:
              1 Vote for this issue
              Watchers:
              15 Start watching this issue

                Created:
                Updated:
                Resolved: