Description of problem:
Router default pods on OpenShift 4 fail [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/) recommendation 5.4.1 which states the following: "Prefer using secrets as files over secrets as environment variables".
`router-default` pods leverage secrets stored in STATS_PASSWORD and STATS_USERNAME environment variables which causes the benchmark to fail. See: https://github.com/openshift/cluster-ingress-operator/blob/master/pkg/operator/controller/ingress/deployment.go#L325-L344
In order for the benchmark to pass changes to the ingress-operator and router application will need to be made so that the stats credentials are sourced directly from a secret volume.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
This report does not specify severity. What is the impact of this issue? Does this affect customers?
This is preventing IBM from receiving the CIS security software certification for one of its product offerings.
Verified with 4.8.0-0.nightly-2021-06-07-180258 and passed.
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.8.0-0.nightly-2021-06-07-180258 True False 72m Cluster version is 4.8.0-0.nightly-2021-06-07-180258
$ oc -n openshift-ingress get deployment/router-default -oyaml
- name: STATS_PASSWORD_FILE
- name: STATS_PORT
- name: STATS_USERNAME_FILE
- mountPath: /var/lib/haproxy/conf/metrics-auth
- name: stats-auth
$ oc -n openshift-ingress get secret/router-stats-default -oyaml
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.