Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-22995

Rule ocp4-cis-file-permissions-cni-conf returned a false negative result

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • 4.16.0
    • 4.14.z
    • Networking / multus
    • None
    • Important
    • No
    • CMP Sprint 73, CMP Sprint 74, CMP Sprint 75
    • 3
    • False
    • Hide

      None

      Show
      None

      Description of problem:

       

      Rule ocp4-cis-file-permissions-cni-conf returned false negative result
      From the CIS benchmark v1.4.0, it is using below command to check the multus config on nodes:
      

       

      $ for i in $(oc get pods -n openshift-multus -l app=multus -oname); do oc exec -n openshift-multus $i -- /bin/bash -c "stat -c \"%a %n\" /host/etc/cni/net.d/*.conf"; done
      600 /host/etc/cni/net.d/00-multus.conf
      600 /host/etc/cni/net.d/00-multus.conf
      600 /host/etc/cni/net.d/00-multus.conf
      600 /host/etc/cni/net.d/00-multus.conf
      600 /host/etc/cni/net.d/00-multus.conf
      600 /host/etc/cni/net.d/00-multus.conf

      Per the rule instructions, it is checking  /etc/cni/net.d/ on the node.
      However, the multus config on nodes is in path  /etc/kubernetes/cni/net.d/, not /etc/cni/net.d/:

       

      $ oc debug node/hongli-az-8pzqq-master-0 -- chroot /host ls -ltr /etc/cni/net.d/
      Starting pod/hongli-az-8pzqq-master-0-debug ...
      To use host binaries, run `chroot /host`
      total 8
      -rw-r--r--. 1 root root 129 Nov  7 02:18 200-loopback.conflist
      -rw-r--r--. 1 root root 469 Nov  7 02:18 100-crio-bridge.conflist
      Removing debug pod ...
      $ oc debug node/hongli-az-8pzqq-master-0 -- chroot /host ls -ltr /etc/kubernetes/cni/net.d/
      Starting pod/hongli-az-8pzqq-master-0-debug ...
      To use host binaries, run `chroot /host`
      total 4
      drwxr-xr-x. 2 root root  60 Nov  7 02:23 whereabouts.d
      -rw-------. 1 root root 352 Nov  7 02:23 00-multus.conf
      Removing debug pod ...
      

       

       

      $  for node in `oc get node --no-headers|awk '{print $1}'`; do oc debug node/$node -- chroot /host ls -l /etc/kubernetes/cni/net.d/; done
      Starting pod/hongli-az-8pzqq-master-0-debug ...
      To use host binaries, run `chroot /host`
      total 4
      -rw-------. 1 root root 352 Nov  7 02:23 00-multus.conf
      drwxr-xr-x. 2 root root  60 Nov  7 02:23 whereabouts.d
      Removing debug pod ...
      Starting pod/hongli-az-8pzqq-master-1-debug ...
      To use host binaries, run `chroot /host`
      total 4
      -rw-------. 1 root root 352 Nov  7 02:23 00-multus.conf
      drwxr-xr-x. 2 root root  60 Nov  7 02:23 whereabouts.d
      Removing debug pod ...
      Starting pod/hongli-az-8pzqq-master-2-debug ...
      To use host binaries, run `chroot /host`
      total 4
      -rw-------. 1 root root 352 Nov  7 02:23 00-multus.conf
      drwxr-xr-x. 2 root root  60 Nov  7 02:23 whereabouts.d
      Removing debug pod ...
      Starting pod/hongli-az-8pzqq-worker-westus-2mx6t-debug ...
      To use host binaries, run `chroot /host`
      total 4
      -rw-------. 1 root root 352 Nov  7 02:38 00-multus.conf
      drwxr-xr-x. 2 root root  60 Nov  7 02:38 whereabouts.d
      Removing debug pod ...
      Starting pod/hongli-az-8pzqq-worker-westus-9qhf5-debug ...
      To use host binaries, run `chroot /host`
      total 4
      -rw-------. 1 root root 352 Nov  7 02:38 00-multus.conf
      drwxr-xr-x. 2 root root  60 Nov  7 02:38 whereabouts.d
      Removing debug pod ...
      Starting pod/hongli-az-8pzqq-worker-westus-bcdpd-debug ...
      To use host binaries, run `chroot /host`
      total 4
      -rw-------. 1 root root 352 Nov  7 02:38 00-multus.conf
      drwxr-xr-x. 2 root root  60 Nov  7 02:38 whereabouts.d
      Removing debug pod ...
      

       

      Version-Release number of selected component (if applicable):

      4.14.0-0.nightly-2023-11-05-194730

      How reproducible:

      Always

      Steps to Reproduce:

      1. $ for i in $(oc get pods -n openshift-multus -l app=multus -oname); do oc exec -n openshift-multus $i -- /bin/bash -c "stat -c \"%a %n\" /host/etc/cni/net.d/*.conf"; done
      $for node in `oc get node --no-headers|awk '{print $1}'`; do oc debug node/$node -- chroot /host ls -l /etc/kubernetes/cni/net.d/; done
      
      

      Actual results:

      The rule should check the wrong path and return FAIL

      Expected results:

      The rule should check the right path and return PASS

      Additional info:

      It was also applicable for both SDN and OVN

            dosmith Douglas Smith
            xiyuan@redhat.com Xiaojie Yuan
            Weibin Liang Weibin Liang
            Votes:
            4 Vote for this issue
            Watchers:
            17 Start watching this issue

              Created:
              Updated: