Details
-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
4.14
-
No
-
False
-
Description
Description of problem:
Security baselines such as CIS do not recommend using secrets as environment variables, but using files. 5.4.1 Prefer using secrets as files over secrets as environmen... | Tenable® https://www.tenable.com/audits/items/CIS_Kubernetes_v1.6.1_Level_2_Master.audit:98de3da69271994afb6211cf86ae4c6b Secrets in Kubernetes must not be stored as environment variables. https://www.stigviewer.com/stig/kubernetes/2021-04-14/finding/V-242415 However, assisted-installer-controller Pod or Job are using environment variables. $ oc get pod -n assisted-installer assisted-installer-controller-kbm85 -o yaml | grep -C2 secretKeyRef - name: PULL_SECRET_TOKEN valueFrom: secretKeyRef: key: pull-secret-token name: assisted-installer-controller-secret $ oc get job -n assisted-installer assisted-installer-controller -o yaml | grep -C2 secretKeyRef - name: PULL_SECRET_TOKEN valueFrom: secretKeyRef: key: pull-secret-token name: assisted-installer-controller-secret
Version-Release number of selected component (if applicable):
OCP 4.14
How reproducible:
100%
Steps to Reproduce:
1. Install a new cluster using assisted installer
2. Run a compliance scan using compliance operator[1], or just look at the manifest of the assisted-installer-controller pod or job
[1] https://docs.openshift.com/container-platform/4.14/security/compliance_operator/co-overview.html
Actual results:
Not compliant to CIS or other security baselines
Expected results:
Compliant to CIS or other security baselines
Additional info:
