Description of problem: Router default pods on OpenShift 4 fail [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/) recommendation 5.4.1 which states the following: "Prefer using secrets as files over secrets as environment variables". `router-default` pods leverage secrets stored in STATS_PASSWORD and STATS_USERNAME environment variables which causes the benchmark to fail. See: https://github.com/openshift/cluster-ingress-operator/blob/master/pkg/operator/controller/ingress/deployment.go#L325-L344 In order for the benchmark to pass changes to the ingress-operator and router application will need to be made so that the stats credentials are sourced directly from a secret volume. Version-Release number of selected component (if applicable): 4.x How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
This report does not specify severity. What is the impact of this issue? Does this affect customers?
This is preventing IBM from receiving the CIS security software certification for one of its product offerings.
Verified with 4.8.0-0.nightly-2021-06-07-180258 and passed. $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.8.0-0.nightly-2021-06-07-180258 True False 72m Cluster version is 4.8.0-0.nightly-2021-06-07-180258 $ oc -n openshift-ingress get deployment/router-default -oyaml spec: <---snip---> containers: - env: - name: STATS_PASSWORD_FILE value: /var/lib/haproxy/conf/metrics-auth/statsPassword - name: STATS_PORT value: "1936" - name: STATS_USERNAME_FILE value: /var/lib/haproxy/conf/metrics-auth/statsUsername image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4952d471351bbedc784e76df6cca865313100225aa046df016f92371ce7cd044 imagePullPolicy: IfNotPresent <......> volumeMounts: - mountPath: /var/lib/haproxy/conf/metrics-auth name: stats-auth readOnly: true <-------> volumes: - name: stats-auth secret: defaultMode: 420 secretName: router-stats-default $ oc -n openshift-ingress get secret/router-stats-default -oyaml apiVersion: v1 data: statsPassword: <string> statsUsername: <string> kind: Secret
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438