Bug 1751982

Summary: Following security recommendations (OpenSCAP)
Product: OpenShift Container Platform Reporter: Radomir Ludva <rludva>
Component: InstallerAssignee: Russell Teague <rteague>
Installer sub component: openshift-ansible QA Contact: Johnny Liu <jialiu>
Status: CLOSED NOTABUG Docs Contact:
Severity: medium    
Priority: unspecified CC: ahoness, aos-bugs, eparis, gblomqui, jialiu, jokerman, mfojtik, nstielau, xtian
Version: 3.11.0   
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1761875 (view as bug list) Environment:
Last Closed: 2019-10-15 13:45:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1761875    

Description Radomir Ludva 2019-09-13 11:01:30 UTC 
Description of problem:
The customer was asked by the security department to follow security recommendations that are a result of OpenSCAP Security test. 

They can change these settings for the cluster, but we do not have probably tested these changes regularly so I am creating this Bugzilla to establish discussion about this topic with the engineering.

Security recommendations:
- Change the owner and group of /var/lib/etcd to root:root
- Change the permissions of /etc/origin/master/master-config.yaml to 0600
- Change the permissions of /etc/origin/master/scheduler.json to 0600
- Add RotateKubeletServerCertificate=true to the master-config.yaml file

Change these kubelet arguments for both master and node:
- Disable cadvisor port by setting cadvisor-port to 0
- Disable Read-only port by settings read-only-port to 0
Comment 2 Radomir Ludva 2019-09-13 11:37:48 UTC 
Can you advise if these guidelines are needed from a Red Hat point of view?