Bug 1955822 - CIS Benchmark 5.4.1 Fails on ROKS 4: Prefer using secrets as files over secrets as environment variables
Summary: CIS Benchmark 5.4.1 Fails on ROKS 4: Prefer using secrets as files over secre...
Keywords:
Status: NEW
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Routing
Version: 4.6.z
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: aos-network-edge-staff
QA Contact: Hongan Li
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-04-30 21:08 UTC by rrpolanco
Modified: 2021-05-04 21:45 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)

Description rrpolanco 2021-04-30 21:08:29 UTC
Description of problem:

Router default pods on OpenShift 4 fail [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/) recommendation 5.4.1 which states the following: "Prefer using secrets as files over secrets as environment variables".

`router-default` pods leverage secrets stored in STATS_PASSWORD and STATS_USERNAME environment variables which causes the benchmark to fail. See: https://github.com/openshift/cluster-ingress-operator/blob/master/pkg/operator/controller/ingress/deployment.go#L325-L344

In order for the benchmark to pass changes to the ingress-operator and router application will need to be made so that the stats credentials are sourced directly from a secret volume.


Version-Release number of selected component (if applicable):
4.x

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:


Note You need to log in before you can comment on or make changes to this bug.