Bug 1751982 - Following security recommendations (OpenSCAP)
Summary: Following security recommendations (OpenSCAP)
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 3.11.z
Assignee: Russell Teague
QA Contact: Johnny Liu
URL:
Whiteboard:
Depends On:
Blocks: 1761875
TreeView+ depends on / blocked
 
Reported: 2019-09-13 11:01 UTC by Radomir Ludva
Modified: 2023-03-24 15:26 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1761875 (view as bug list)
Environment:
Last Closed: 2019-10-15 13:45:19 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Radomir Ludva 2019-09-13 11:01:30 UTC 
Description of problem:
The customer was asked by the security department to follow security recommendations that are a result of OpenSCAP Security test. 

They can change these settings for the cluster, but we do not have probably tested these changes regularly so I am creating this Bugzilla to establish discussion about this topic with the engineering.

Security recommendations:
- Change the owner and group of /var/lib/etcd to root:root
- Change the permissions of /etc/origin/master/master-config.yaml to 0600
- Change the permissions of /etc/origin/master/scheduler.json to 0600
- Add RotateKubeletServerCertificate=true to the master-config.yaml file

Change these kubelet arguments for both master and node:
- Disable cadvisor port by setting cadvisor-port to 0
- Disable Read-only port by settings read-only-port to 0
Comment 2 Radomir Ludva 2019-09-13 11:37:48 UTC 
Can you advise if these guidelines are needed from a Red Hat point of view?
Note You need to log in before you can comment on or make changes to this bug.