Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-29687

metal3 reads secrets from environment variables, which is not CIS Compliant

XMLWordPrintable

    • No
    • 4
    • Metal Platform 249, Metal Platform 250, Metal Platform 251, Metal Platform 252, Metal Platform 253, Metal Platform 254, Metal Platform 255, Metal Platform 256
    • 8
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, the Ironic `htpasswd` was provided to `ironic-image` using environment variables, which is not secure. From this release, the Ironic `htpasswd` is provided to `ironic-image` using the `/auth/ironic/htpasswd` file for better security. (link:https://issues.redhat.com/browse/OCPBUGS-29687[*OCPBUGS-29687*])
      Show
      * Previously, the Ironic `htpasswd` was provided to `ironic-image` using environment variables, which is not secure. From this release, the Ironic `htpasswd` is provided to `ironic-image` using the `/auth/ironic/htpasswd` file for better security. (link: https://issues.redhat.com/browse/OCPBUGS-29687 [* OCPBUGS-29687 *])
    • Enhancement
    • Done

      Description of problem:

      Security baselines such as CIS do not recommend using secrets as environment variables, but using files.

5.4.1 Prefer using secrets as files over secrets as environmen... | Tenable®
https://www.tenable.com/audits/items/CIS_Kubernetes_v1.6.1_Level_2_Master.audit:98de3da69271994afb6211cf86ae4c6b
Secrets in Kubernetes must not be stored as environment variables.
https://www.stigviewer.com/stig/kubernetes/2021-04-14/finding/V-242415

However, metal3 and metal3-image-customization Pods are using environment variables.

$ oc get pod -A -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' | grep metal3
 Pod metal3-66b59bbb76-8xzl7 
 Pod metal3-image-customization-965f5c8fc-h8zrk 
    

      Version-Release number of selected component (if applicable):

      4.14, 4.13, 4.12

      How reproducible:

      100%

      Steps to Reproduce:

          1. Install a new cluster using baremetal IPI
    2. Run a compliance scan using compliance operator[1], or just look at the manifest of metal3 or metal3-image-customization pod
    
    [1] https://docs.openshift.com/container-platform/4.14/security/compliance_operator/co-overview.html  

      Actual results:

      Not compliant to CIS or other security baselines

      Expected results:

      Compliant to CIS or other security baselines  

      Additional info:

              rh-ee-masghar Mahnoor Asghar
              rhn-support-yuokada Yuki Okada
              Jad Haj Yahya Jad Haj Yahya
              Alexandra Molnar Alexandra Molnar
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: