Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-19553

The file permission for pod specification files of the kube-apiserver should be updated to 600 to conform with CIS benchmarks

XMLWordPrintable

    • Moderate
    • No
    • False
    • Hide

      None

      Show
      None

      This is a clone of issue OCPBUGS-16796. The following is the description of the original issue:

      Description of problem:

       

      Observation from CISv1.4 pdf:
      1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive
      
      
      
      “Ensure that the API server pod specification file has permissions of 600 or more restrictive.
      OpenShift 4 deploys two API servers: the OpenShift API server and the Kube API server. The OpenShift API server delegates requests for Kubernetes objects to the Kube API server.
      The OpenShift API server is managed as a deployment. The pod specification yaml for openshift-apiserver is stored in etcd.
      The Kube API Server is managed as a static pod. The pod specification file for the kube-apiserver is created on the control plane nodes at /etc/kubernetes/manifests/kube-apiserver-pod.yaml. The kube-apiserver is mounted via hostpath to the kube-apiserver pods via /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml with permissions 600.”
       
      To conform with CIS benchmarksChange, the pod specification file for the kube-apiserver /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml  files should be updated to 600.
      
      $ for i in $( oc get pods -n openshift-kube-apiserver -l app=openshift-kube-apiserver -o name )
      do                 
      oc exec -n openshift-kube-apiserver $i -- \
      stat -c %a /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml
      done
      644
      644
      644
      

       

      Version-Release number of selected component (if applicable):

      4.14.0-0.nightly-2023-07-20-215234

      How reproducible:

      Always

      Steps to Reproduce:

      1.
      2.
      3.
      

      Actual results:

      The permission of the pod specification file for the kube-apiserver is 644.

      Expected results:

      The permission of the pod specification file for the kube-apiserver should be updated to 600.

      Additional info:

      PR: https://github.com/openshift/library-go/commit/19a42d2bae8ba68761cfad72bf764e10d275ad6e

       

              Unassigned Unassigned
              openshift-crt-jira-prow OpenShift Prow Bot
              Rahul Gangwar Rahul Gangwar
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: