Description of problem: This is causing failures in the CIS check from the compliance operator: # oc -n openshift-compliance get compliancecheckresults -l 'compliance.openshift.io/check-status=FAIL,!compliance.openshift.io/automated-remediation' NAME STATUS SEVERITY ocp4-cis-node-master-file-permissions-openshift-pki-cert-files FAIL medium ocp4-cis-node-master-file-permissions-openshift-pki-key-files FAIL medium Looking at the masters, you can see it has 644 permissions: [root@master-02 ~]# ls -l /etc/kubernetes/static-pod-resources/kube-*/secrets/*/tls.crt /etc/kubernete s/static-pod-resources/*/*/*/*.key | grep -v -- '-rw-------' -rw-r--r--. 1 root root 5859 Apr 13 18:32 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/user-serving-cert-000/tls.crt -rw-r--r--. 1 root root 1704 Apr 13 18:32 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/user-serving-cert-000/tls.key You can see the CIS benchmark here: https://github.com/ComplianceAsCode/content/blob/master/applications/openshift/master/file_permissions_openshift_pki_cert_files/rule.yml#L5 Its expecting certificates permissions to be 600. Version-Release number of selected component (if applicable): 4.7 How reproducible: Always Steps to Reproduce: 1. Using the default compliance operator 2. 3. Actual results: 644 permissions Expected results: 600 permissions for CIS compliance Additional info:
*** This bug has been marked as a duplicate of bug 1977730 ***