Bug 2009763

Summary: Kube API Server Static pod has user-serving-cert with 644 permissions
Product: OpenShift Container Platform Reporter: Matthew Robson <mrobson>
Component: kube-apiserverAssignee: Emily Moss <emoss>
Status: CLOSED DUPLICATE QA Contact: Ke Wang <kewang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.7CC: aos-bugs, mfojtik, xxia
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-11 19:09:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthew Robson 2021-10-01 14:06:24 UTC 
Description of problem:

This is causing failures in the CIS check from the compliance operator:

# oc -n openshift-compliance get compliancecheckresults -l 'compliance.openshift.io/check-status=FAIL,!compliance.openshift.io/automated-remediation'
NAME                                                                           STATUS   SEVERITY
ocp4-cis-node-master-file-permissions-openshift-pki-cert-files                 FAIL     medium
ocp4-cis-node-master-file-permissions-openshift-pki-key-files                  FAIL     medium

Looking at the masters, you can see it has 644 permissions:
[root@master-02 ~]# ls -l /etc/kubernetes/static-pod-resources/kube-*/secrets/*/tls.crt /etc/kubernete
s/static-pod-resources/*/*/*/*.key | grep -v -- '-rw-------'
-rw-r--r--. 1 root root 5859 Apr 13 18:32 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/user-serving-cert-000/tls.crt
-rw-r--r--. 1 root root 1704 Apr 13 18:32 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/user-serving-cert-000/tls.key

You can see the CIS benchmark here:
https://github.com/ComplianceAsCode/content/blob/master/applications/openshift/master/file_permissions_openshift_pki_cert_files/rule.yml#L5

Its expecting certificates permissions to be 600.


Version-Release number of selected component (if applicable):
4.7

How reproducible:
Always

Steps to Reproduce:
1. Using the default compliance operator
2.
3.

Actual results:
644 permissions

Expected results:
600 permissions for CIS compliance

Additional info:
Comment 1 Emily Moss 2021-10-11 19:09:08 UTC 

*** This bug has been marked as a duplicate of bug 1977730 ***