Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-36285

metal3 reads secrets from environment variables, which is not CIS Compliant

XMLWordPrintable

    • No
    • 1
    • Metal Platform 255, Metal Platform 256, Metal Platform 257
    • 3
    • False
    • Hide

      None

      Show
      None
    • Hide
      Previously, the Ironic and Inspector `htpasswd` were provided to the `ironic-image` using environment variables, which is not secure. From this release, the Ironic `htpasswd` is provided to `ironic-image` using the `/auth/ironic/htpasswd` file, and the Inspector `htpasswd` is provided to `ironic-image` using the `/auth/inspector/htpasswd` file for better security. (link:https://issues.redhat.com/browse/OCPBUGS-36285[*OCPBUGS-36285*])
      Show
      Previously, the Ironic and Inspector `htpasswd` were provided to the `ironic-image` using environment variables, which is not secure. From this release, the Ironic `htpasswd` is provided to `ironic-image` using the `/auth/ironic/htpasswd` file, and the Inspector `htpasswd` is provided to `ironic-image` using the `/auth/inspector/htpasswd` file for better security. (link: https://issues.redhat.com/browse/OCPBUGS-36285 [* OCPBUGS-36285 *])
    • Enhancement
    • Done

      This is a clone of issue OCPBUGS-29687. The following is the description of the original issue:

      Description of problem:

      Security baselines such as CIS do not recommend using secrets as environment variables, but using files.

5.4.1 Prefer using secrets as files over secrets as environmen... | Tenable®
https://www.tenable.com/audits/items/CIS_Kubernetes_v1.6.1_Level_2_Master.audit:98de3da69271994afb6211cf86ae4c6b
Secrets in Kubernetes must not be stored as environment variables.
https://www.stigviewer.com/stig/kubernetes/2021-04-14/finding/V-242415

However, metal3 and metal3-image-customization Pods are using environment variables.

$ oc get pod -A -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' | grep metal3
 Pod metal3-66b59bbb76-8xzl7 
 Pod metal3-image-customization-965f5c8fc-h8zrk 
    

      Version-Release number of selected component (if applicable):

      4.14, 4.13, 4.12

      How reproducible:

      100%

      Steps to Reproduce:

          1. Install a new cluster using baremetal IPI
    2. Run a compliance scan using compliance operator[1], or just look at the manifest of metal3 or metal3-image-customization pod
    
    [1] https://docs.openshift.com/container-platform/4.14/security/compliance_operator/co-overview.html  

      Actual results:

      Not compliant to CIS or other security baselines

      Expected results:

      Compliant to CIS or other security baselines  

      Additional info:

              rh-ee-masghar Mahnoor Asghar
              openshift-crt-jira-prow OpenShift Prow Bot
              Steeve Goveas Steeve Goveas
              Alexandra Molnar Alexandra Molnar
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: