Bug 1955822

Summary: CIS Benchmark 5.4.1 Fails on ROKS 4: Prefer using secrets as files over secrets as environment variables
Product: OpenShift Container Platform Reporter: rrpolanco
Component: NetworkingAssignee: Stephen Greene <sgreene>
Networking sub component: router QA Contact: Hongan Li <hongli>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: high CC: amcdermo, aos-bugs, hongli, mmasters, sgreene
Version: 4.6   
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-27 23:05:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description rrpolanco 2021-04-30 21:08:29 UTC 
Description of problem:

Router default pods on OpenShift 4 fail [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/) recommendation 5.4.1 which states the following: "Prefer using secrets as files over secrets as environment variables".

`router-default` pods leverage secrets stored in STATS_PASSWORD and STATS_USERNAME environment variables which causes the benchmark to fail. See: https://github.com/openshift/cluster-ingress-operator/blob/master/pkg/operator/controller/ingress/deployment.go#L325-L344

In order for the benchmark to pass changes to the ingress-operator and router application will need to be made so that the stats credentials are sourced directly from a secret volume.


Version-Release number of selected component (if applicable):
4.x

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Miciah Dashiel Butler Masters 2021-05-12 14:35:42 UTC 
This report does not specify severity.  What is the impact of this issue?  Does this affect customers?
Comment 2 rrpolanco 2021-05-19 18:28:32 UTC 
This is preventing IBM from receiving the CIS security software certification for one of its product offerings.
Comment 5 Hongan Li 2021-06-08 03:22:56 UTC 
Verified with 4.8.0-0.nightly-2021-06-07-180258 and passed.


$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.0-0.nightly-2021-06-07-180258   True        False         72m     Cluster version is 4.8.0-0.nightly-2021-06-07-180258

$ oc -n openshift-ingress get deployment/router-default -oyaml
spec:
<---snip--->
      containers:
      - env:
        - name: STATS_PASSWORD_FILE
          value: /var/lib/haproxy/conf/metrics-auth/statsPassword
        - name: STATS_PORT
          value: "1936"
        - name: STATS_USERNAME_FILE
          value: /var/lib/haproxy/conf/metrics-auth/statsUsername
        image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4952d471351bbedc784e76df6cca865313100225aa046df016f92371ce7cd044
        imagePullPolicy: IfNotPresent
<......>
        volumeMounts:
        - mountPath: /var/lib/haproxy/conf/metrics-auth
          name: stats-auth
          readOnly: true
<------->
      volumes:
      - name: stats-auth
        secret:
          defaultMode: 420
          secretName: router-stats-default

$ oc -n openshift-ingress get secret/router-stats-default -oyaml
apiVersion: v1
data:
  statsPassword: <string>
  statsUsername: <string>
kind: Secret
Comment 8 errata-xmlrpc 2021-07-27 23:05:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438