1. Proposed title of this feature request
Better protect client certificate on Windows Machine

2. What is the nature and description of the request?
When running OpenShift Container Platform 4 with Windows Machines, it was observed that C:\var\lib\kubelet\pki\kubelet-server-<TIMESTAMP>.pem and C:\k\cni\config\ovnkube-client-<TIMESTAMP>.pem are stored on the local filesystem without the desired restriction put in place to protect them. Given that exposing them too much could impact safety of the entire OpenShift Container Platform 4 - Cluster it's requested to further protect them using more strict ACL but more important to consider the usage of certlm.exe to store and manage those certificates. That way, they are kept secure and access can be managed accordingly (also Windows recommended practice).

3. Why does the customer need this? (List the business requirements here)
Having C:\var\lib\kubelet\pki\kubelet-server-<TIMESTAMP>.pem and C:\k\cni\config\ovnkube-client-<TIMESTAMP>.pem exposed too much exposes significant risk to the OpenShift Container Platform 4 - Cluster overall. Boundaries for potential breach or abuse of the certificate is high and should be reduced to complain with known standards within the Windows Server eco-system.

Not complying with those safety requirements will expose challenges to enterprises, as Security exceptions need to be raised or usage of Windows Container may be denied because of the above security implication.

4. List any affected packages or components.
Windows Containers