Bug 2065312

Summary: RHOCP 4.9 with global read permissions on static-pod-resources/kube-controller-manager-certs secrets
Product: OpenShift Container Platform Reporter: Gabriel Scheffer <gscheffe>
Component: kube-controller-managerAssignee: Filip Krepinsky <fkrepins>
Status: CLOSED DUPLICATE QA Contact: zhou ying <yinzhou>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.9CC: aos-bugs, fkrepins, mfojtik, smaudet
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-29 15:38:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Gabriel Scheffer 2022-03-17 16:05:06 UTC
Description of problem:
The compliance operator is reporting the "ocp4-cis-node-master-file-permissions-openshift-pki-cert-files" and "ocp4-cis-node-master-file-permissions-openshift-pki-key-files" rules like failed.

There are no MachineConfig that is overriding the permission on the files.
The files with read globally permissions are the following, on all 3 masters the same behavior:

-rw-r--r--. 1 root root 1.7K Mar 11 04:33 /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/kube-controller-manager-client-cert-key/tls.key
-rw-r--r--. 1 root root 1.2K Mar 11 04:33 /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/kube-controller-manager-client-cert-key/tls.crt
-rw-r--r--. 1 root root 1.7K Mar 11 04:33 /etc/kubernetes/static-pod-resources/kube-scheduler-certs/secrets/kube-scheduler-client-cert-key/tls.key
-rw-r--r--. 1 root root 1.2K Mar 11 04:33 /etc/kubernetes/static-pod-resources/kube-scheduler-certs/secrets/kube-scheduler-client-cert-key/tls.crt
-rw-r--r--. 1 root root 1.3K Mar 11 23:49 /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/csr-signer/tls.crt
-rw-r--r--. 1 root root 1.7K Mar 11 23:49 /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/csr-signer/tls.key

As a workaround: 2 weeks ago, the customer ran "sudo chmod 0600 /etc/kubernetes/static-pod-resources/kube-*/secrets/*/tls.crt" and "sudo chmod 0600 /etc/kubernetes/static-pod-resources/*/*/*/*.key" inside masters nodes just like the openscap report recommends, but now this rules have appeared again as failed, because something has renew some pki files.

According to the "Red Hat OpenShift 4 Hardening Guide v1.1" document, the rule does not need remediation because the file permissions are managed by the operator.

Version-Release number of selected component (if applicable):

How reproducible:
Install a cluster version 4.9.17+ with Compliance Operator v0.1.48 and configure Default Scan for profile ocp4-cis. It will need a couple days/weeks so the operator refresh/rotate those 6 files above.

Steps to Reproduce:

Actual results:
4 cert files from kube-controller-manager and 2 files from kube-scheduler with global read permissions. (aka 644)

Expected results:
All files 6 mentioned with 600 permission.

Additional info:
In attachment.

Comment 4 Filip Krepinsky 2022-03-28 19:20:23 UTC
Hi, sorry for a late response,

this should be fixed already by:

- https://github.com/openshift/library-go/pull/1202


- https://github.com/openshift/cluster-kube-scheduler-operator/pull/405
- https://github.com/openshift/cluster-kube-controller-manager-operator/pull/593

Can you please update to latest 4.9 and check if it fixes this issue for you?