Details
-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
4.13, 4.12, 4.14
-
No
-
2
-
Metal Platform 249, Metal Platform 250, Metal Platform 251, Metal Platform 252, Metal Platform 253
-
5
-
False
-
Description
Description of problem:
Security baselines such as CIS do not recommend using secrets as environment variables, but using files.
5.4.1 Prefer using secrets as files over secrets as environmen... | Tenable®
https://www.tenable.com/audits/items/CIS_Kubernetes_v1.6.1_Level_2_Master.audit:98de3da69271994afb6211cf86ae4c6b
Secrets in Kubernetes must not be stored as environment variables.
https://www.stigviewer.com/stig/kubernetes/2021-04-14/finding/V-242415
However, metal3 and metal3-image-customization Pods are using environment variables.
$ oc get pod -A -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' | grep metal3
Pod metal3-66b59bbb76-8xzl7
Pod metal3-image-customization-965f5c8fc-h8zrk
Version-Release number of selected component (if applicable):
4.14, 4.13, 4.12
How reproducible:
100%
Steps to Reproduce:
1. Install a new cluster using baremetal IPI
2. Run a compliance scan using compliance operator[1], or just look at the manifest of metal3 or metal3-image-customization pod
[1] https://docs.openshift.com/container-platform/4.14/security/compliance_operator/co-overview.html
Actual results:
Not compliant to CIS or other security baselines
Expected results:
Compliant to CIS or other security baselines
Additional info:
