Observation from CISv1.4 pdf:
1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive
“Ensure that the API server pod specification file has permissions of 600 or more restrictive.
OpenShift 4 deploys two API servers: the OpenShift API server and the Kube API server. The OpenShift API server delegates requests for Kubernetes objects to the Kube API server.
The OpenShift API server is managed as a deployment. The pod specification yaml for openshift-apiserver is stored in etcd.
The Kube API Server is managed as a static pod. The pod specification file for the kube-apiserver is created on the control plane nodes at /etc/kubernetes/manifests/kube-apiserver-pod.yaml. The kube-apiserver is mounted via hostpath to the kube-apiserver pods via /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml with permissions 600.”
To conform with CIS benchmarksChange, the pod specification file for the kube-apiserver /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml files should be updated to 600.
$ for i in $( oc get pods -n openshift-kube-apiserver -l app=openshift-kube-apiserver -o name )
oc exec -n openshift-kube-apiserver $i -- \
stat -c %a /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml