Details
-
Bug
-
Resolution: Done-Errata
-
Undefined
-
4.14.0
-
None
-
Moderate
-
No
-
False
-
-
Release Note Not Required
-
In Progress
Description
Description of problem:
Observation from CISv1.4 pdf: 1.1.3 Ensure that the controller manager pod specification file When I checked I found description of the controller manager pod specification file in CIS v1.4 PDF is as follows: "Ensure that the controller manager pod specification file has permissions of 600 or more restrictive. OpenShift 4 deploys two API servers: the OpenShift API server and the Kube API server. The OpenShift API server delegates requests for Kubernetes objects to the Kube API server. The OpenShift API server is managed as a deployment. The pod specification yaml for openshift-apiserver is stored in etcd. The Kube API Server is managed as a static pod. The pod specification file for the kube-apiserver is created on the control plane nodes at /etc/kubernetes/manifests/kube-apiserver-pod.yaml. The kube-apiserver is mounted via hostpath to the kube-apiserver pods via /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml with permissions 600." To conform with CIS benchmarks, the controller manager pod specification file should be updated to 600. $ for i in $( oc get pods -n openshift-kube-controller-manager -o name -l app=kube-controller-manager) do oc exec -n openshift-kube-controller-manager $i -- stat -c %a /etc/kubernetes/static-pod-resources/kube-controller-manager-pod.yaml done 644 644 644
Version-Release number of selected component (if applicable):
4.14.0-0.nightly-2023-07-20-215234
How reproducible:
Always
Steps to Reproduce:
1. 2. 3.
Actual results:
The controller manager pod specification file for the kube-apiserver is 644.
Expected results:
The controller manager pod specification file for the kube-apiserver is 644.
Additional info:
https://github.com/openshift/library-go/commit/19a42d2bae8ba68761cfad72bf764e10d275ad6e
Attachments
Issue Links
- links to
-
RHEA-2023:7198
rpm
