Bug 1955822 - CIS Benchmark 5.4.1 Fails on ROKS 4: Prefer using secrets as files over secrets as environment variables
Summary: CIS Benchmark 5.4.1 Fails on ROKS 4: Prefer using secrets as files over secre...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.6
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.8.0
Assignee: Stephen Greene
QA Contact: Hongan Li
Depends On:
TreeView+ depends on / blocked
Reported: 2021-04-30 21:08 UTC by rrpolanco
Modified: 2022-08-04 22:32 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Last Closed: 2021-07-27 23:05:33 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift cluster-ingress-operator pull 621 0 None open Bug 1955822: Ingress: Mount router stats secret as a volume 2021-06-04 16:43:26 UTC
Github openshift router pull 291 0 None closed Bug 1955822: cmd: Add option to source stats auth from file 2021-06-04 16:43:27 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 23:05:56 UTC

Description rrpolanco 2021-04-30 21:08:29 UTC
Description of problem:

Router default pods on OpenShift 4 fail [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/) recommendation 5.4.1 which states the following: "Prefer using secrets as files over secrets as environment variables".

`router-default` pods leverage secrets stored in STATS_PASSWORD and STATS_USERNAME environment variables which causes the benchmark to fail. See: https://github.com/openshift/cluster-ingress-operator/blob/master/pkg/operator/controller/ingress/deployment.go#L325-L344

In order for the benchmark to pass changes to the ingress-operator and router application will need to be made so that the stats credentials are sourced directly from a secret volume.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:

Comment 1 Miciah Dashiel Butler Masters 2021-05-12 14:35:42 UTC
This report does not specify severity.  What is the impact of this issue?  Does this affect customers?

Comment 2 rrpolanco 2021-05-19 18:28:32 UTC
This is preventing IBM from receiving the CIS security software certification for one of its product offerings.

Comment 5 Hongan Li 2021-06-08 03:22:56 UTC
Verified with 4.8.0-0.nightly-2021-06-07-180258 and passed.

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.0-0.nightly-2021-06-07-180258   True        False         72m     Cluster version is 4.8.0-0.nightly-2021-06-07-180258

$ oc -n openshift-ingress get deployment/router-default -oyaml
      - env:
        - name: STATS_PASSWORD_FILE
          value: /var/lib/haproxy/conf/metrics-auth/statsPassword
        - name: STATS_PORT
          value: "1936"
        - name: STATS_USERNAME_FILE
          value: /var/lib/haproxy/conf/metrics-auth/statsUsername
        image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4952d471351bbedc784e76df6cca865313100225aa046df016f92371ce7cd044
        imagePullPolicy: IfNotPresent
        - mountPath: /var/lib/haproxy/conf/metrics-auth
          name: stats-auth
          readOnly: true
      - name: stats-auth
          defaultMode: 420
          secretName: router-stats-default

$ oc -n openshift-ingress get secret/router-stats-default -oyaml
apiVersion: v1
  statsPassword: <string>
  statsUsername: <string>
kind: Secret

Comment 8 errata-xmlrpc 2021-07-27 23:05:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.