Bug 1955822 - CIS Benchmark 5.4.1 Fails on ROKS 4: Prefer using secrets as files over secrets as environment variables
Summary: CIS Benchmark 5.4.1 Fails on ROKS 4: Prefer using secrets as files over secre...
Status: NEW
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Routing
Version: 4.6.z
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: aos-network-edge-staff
QA Contact: Hongan Li
Depends On:
TreeView+ depends on / blocked
Reported: 2021-04-30 21:08 UTC by rrpolanco
Modified: 2021-05-04 21:45 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Target Upstream Version:

Attachments (Terms of Use)

Description rrpolanco 2021-04-30 21:08:29 UTC
Description of problem:

Router default pods on OpenShift 4 fail [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/) recommendation 5.4.1 which states the following: "Prefer using secrets as files over secrets as environment variables".

`router-default` pods leverage secrets stored in STATS_PASSWORD and STATS_USERNAME environment variables which causes the benchmark to fail. See: https://github.com/openshift/cluster-ingress-operator/blob/master/pkg/operator/controller/ingress/deployment.go#L325-L344

In order for the benchmark to pass changes to the ingress-operator and router application will need to be made so that the stats credentials are sourced directly from a secret volume.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:

Note You need to log in before you can comment on or make changes to this bug.