Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-16788

The file permissions of /var/lib/cni/networks/openshift-sdn in all sdn pods should be updated to 600 to conform with CIS benchmarks

    XMLWordPrintable

Details

    • No
    • SDN Sprint 243, SDN Sprint 244
    • 2
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Release Note Not Required
    • In Progress

    Description

      Description of problem:

      Description of problem:

      Observation from CISv1.4 pdf:
      1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive
      
      "Container Network Interface provides various networking options for overlay networking.
      You should consult their documentation and restrict their respective file permissions to maintain the integrity of those files. Those files should be writable by only the administrators on the system."
       
      To conform with CIS benchmarksChange, the /var/lib/cni/networks/openshift-sdn files in all sdn pods should be updated to 600.
      $ for i in $(oc get pods -n openshift-sdn -l app=sdn -oname); do oc exec -n openshift-sdn $i -- find /var/lib/cni/networks/openshift-sdn -type f -exec stat -c %a {} \;; done
      Defaulted container "sdn" out of: sdn, kube-rbac-proxy
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      Defaulted container "sdn" out of: sdn, kube-rbac-proxy
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      Defaulted container "sdn" out of: sdn, kube-rbac-proxy
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      Defaulted container "sdn" out of: sdn, kube-rbac-proxy
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      Defaulted container "sdn" out of: sdn, kube-rbac-proxy
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      Defaulted container "sdn" out of: sdn, kube-rbac-proxy
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      644
      

      Version-Release number of selected component (if applicable):

      4.14.0-0.nightly-2023-07-20-215234

      How reproducible:

      Always

      Steps to Reproduce:

      1.
      2.
      3.
      

      Actual results:

      The file permissions for /var/lib/cni/networks/openshift-sdn files in all sdn pods is 644

      Expected results:

      The file permissions for /var/lib/cni/networks/openshift-sdn files in all sdn pods should be updated to 600

      Additional info:

       

      Attachments

        Activity

          People

            rravaiol@redhat.com Riccardo Ravaioli
            xiyuan@redhat.com Xiaojie Yuan
            Weibin Liang Weibin Liang
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: