Observation from CISv1.4 pdf:
1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive



“Ensure that the API server pod specification file has permissions of 600 or more restrictive.
OpenShift 4 deploys two API servers: the OpenShift API server and the Kube API server. The OpenShift API server delegates requests for Kubernetes objects to the Kube API server.
The OpenShift API server is managed as a deployment. The pod specification yaml for openshift-apiserver is stored in etcd.
The Kube API Server is managed as a static pod. The pod specification file for the kube-apiserver is created on the control plane nodes at /etc/kubernetes/manifests/kube-apiserver-pod.yaml. The kube-apiserver is mounted via hostpath to the kube-apiserver pods via /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml with permissions 600.”
 
To conform with CIS benchmarksChange, the pod specification file for the kube-apiserver /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml  files should be updated to 600.

$ for i in $( oc get pods -n openshift-kube-apiserver -l app=openshift-kube-apiserver -o name )
do                 
oc exec -n openshift-kube-apiserver $i -- \
stat -c %a /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml
done
644
644
644

4.14.0-0.nightly-2023-07-20-215234

Always

1.
2.
3.

The permission of the pod specification file for the kube-apiserver is 644.

The permission of the pod specification file for the kube-apiserver should be updated to 600.

PR: https://github.com/openshift/library-go/commit/19a42d2bae8ba68761cfad72bf764e10d275ad6e