2026089 – Different file permission for secrets/user-serving-cert-000/tls.crt and secrets/user-serving-cert-000/tls.key

Bug 2026089 - Different file permission for secrets/user-serving-cert-000/tls.crt and secrets/user-serving-cert-000/tls.key

Summary: Different file permission for secrets/user-serving-cert-000/tls.crt and secre...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	kube-apiserver
Sub Component:
Version:	4.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	high
Target Milestone:	---
Target Release:	4.8.z
Assignee:	Abu Kashem
QA Contact:	Rahul Gangwar
Docs Contact:
URL:
Whiteboard:
Depends On:	1977730
Blocks:	2013838
TreeView+	depends on / blocked

Reported:	2021-11-23 18:01 UTC by OpenShift BugZilla Robot
Modified:	2023-04-13 16:04 UTC (History)
CC List:	20 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-01-12 16:54:48 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift cluster-kube-apiserver-operator pull 1320	None	Merged	[release-4.8] Bug 2026089: library-go bump	2022-03-15 18:39:50 UTC
Github	openshift library-go pull 1254	None	Merged	[release-4.8] Bug 2026089: change write storage chmod	2022-03-15 18:39:54 UTC
Red Hat Product Errata	RHBA-2022:0021	None	None	None	2022-01-11 22:31:35 UTC
Red Hat Product Errata	RHBA-2023:0018	None	None	None	2023-01-12 16:54:55 UTC

Comment 6 Rahul Gangwar 2021-12-22 16:25:19 UTC

oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.0-0.nightly-2021-12-21-212247   True        False         9m49s   Cluster version is 4.8.0-0.nightly-2021-12-21-212247

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem  -subj "/CN=<API_FQDN>"
Generating a 2048 bit RSA private key
................................................................................................................................................+++
.......+++
writing new private key to 'key.pem'
-----

oc create secret tls api-secret --cert=certificate.pem  --key=key.pem  -n openshift-config
secret/api-secret created

 oc get apiserver/cluster -o yaml
      servingCertificate:
        name: api-secret

 for i in `oc get node|grep master|awk '{print $1}'`;do oc debug node/$i -T  -- chroot /host bash -c "ls -ltrh /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/*/tls.crt"; done
Starting pod/ip-10-0-153-141us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
-rw-------. 1 root root 1.2K Dec 22 16:03 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt
-rw-------. 1 root root 2.5K Dec 22 16:03 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 1.2K Dec 22 16:03 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt
-rw-------. 1 root root 1.2K Dec 22 16:03 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt
-rw-------. 1 root root 2.4K Dec 22 16:03 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt
-rw-------. 1 root root 2.5K Dec 22 16:03 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 1.1K Dec 22 16:03 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/user-serving-cert-000/tls.crt
-rw-------. 1 root root 2.7K Dec 22 16:03 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt

Removing debug pod ...
Starting pod/ip-10-0-170-127us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
-rw-------. 1 root root 2.5K Dec 22 16:16 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 2.5K Dec 22 16:16 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 1.2K Dec 22 16:16 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt
-rw-------. 1 root root 1.2K Dec 22 16:16 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt
-rw-------. 1 root root 1.2K Dec 22 16:16 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt
-rw-------. 1 root root 1.1K Dec 22 16:16 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/user-serving-cert-000/tls.crt
-rw-------. 1 root root 2.7K Dec 22 16:16 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt
-rw-------. 1 root root 2.4K Dec 22 16:16 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt

Removing debug pod ...
Starting pod/ip-10-0-212-167us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
-rw-------. 1 root root 1.2K Dec 22 16:10 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt
-rw-------. 1 root root 2.4K Dec 22 16:10 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt
-rw-------. 1 root root 2.5K Dec 22 16:10 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 2.5K Dec 22 16:10 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 1.2K Dec 22 16:10 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt
-rw-------. 1 root root 1.2K Dec 22 16:10 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt
-rw-------. 1 root root 1.1K Dec 22 16:10 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/user-serving-cert-000/tls.crt
-rw-------. 1 root root 2.7K Dec 22 16:10 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt

Removing debug pod ...

Comment 9 errata-xmlrpc 2022-01-11 22:31:15 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.8.26 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:0021

Comment 15 Rahul Gangwar 2022-03-01 17:45:00 UTC

oc adm release info --commits registry.ci.openshift.org/ocp/release:4.8.0-0.nightly-2022-02-28-225103|grep -i kube-apiserver-operator
  cluster-kube-apiserver-operator                https://github.com/openshift/cluster-kube-apiserver-operator                25c54939bdd02bc8e68f1329fa3ebe16904b3282

git log --date local --pretty="%h %an %cd - %s"  25c54939 |grep -i 1320
25c54939b OpenShift Merge Robot Mon Feb 28 15:29:23 2022 - Merge pull request #1320 from EmilyM1/bump-for-4.8-libgo

Before changes 
oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.0-0.nightly-2022-02-28-225103   True        False         163m    Cluster version is 4.8.0-0.nightly-2022-02-28-225103
rahulgangwar@rgangwar-mac cluster-kube-apiserver-operator % for i in `oc get node|grep master|awk '{print $1}'`;do oc debug node/$i -T  -- chroot /host bash -c "ls -ltrh /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/*/tls.crt"; done
Starting pod/ip-10-0-60-208us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
-rw-------. 1 root root 1.2K Mar  1 11:36 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt
-rw-------. 1 root root 1.2K Mar  1 11:36 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt
-rw-------. 1 root root 1.2K Mar  1 11:36 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt
-rw-------. 1 root root 2.4K Mar  1 11:36 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt
-rw-------. 1 root root 2.5K Mar  1 11:36 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 2.5K Mar  1 11:36 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 2.7K Mar  1 11:36 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt

Removing debug pod ...
Starting pod/ip-10-0-60-72us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
-rw-------. 1 root root 1.2K Mar  1 11:43 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt
-rw-------. 1 root root 2.5K Mar  1 11:43 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 1.2K Mar  1 11:43 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt
-rw-------. 1 root root 1.2K Mar  1 11:43 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt
-rw-------. 1 root root 2.4K Mar  1 11:43 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt
-rw-------. 1 root root 2.5K Mar  1 11:43 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 2.7K Mar  1 11:43 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt

Removing debug pod ...
Starting pod/ip-10-0-73-175us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
-rw-------. 1 root root 1.2K Mar  1 11:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt
-rw-------. 1 root root 1.2K Mar  1 11:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt
-rw-------. 1 root root 2.7K Mar  1 11:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt
-rw-------. 1 root root 2.4K Mar  1 11:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt
-rw-------. 1 root root 2.5K Mar  1 11:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 2.5K Mar  1 11:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 1.2K Mar  1 11:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt

After changes

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem  -subj "/CN=test.com"  
Generating a 2048 bit RSA private key
...........................................................+++
...................................................................+++
writing new private key to 'key.pem'
-----
 oc create secret tls api-secret --cert=certificate.pem  --key=key.pem  -n openshift-config

secret/api-secret created
 oc patch --type=merge apiserver/cluster -p "
spec:
  servingCerts:
    namedCertificates:
    - names:
      - test.com                
      servingCertificate:
        name: api-secret     

 oc get apiserver cluster -o yaml
servingCerts:
    namedCertificates:
    - names:
      - test.com
      servingCertificate:
        name: api-secret

 for i in `oc get node|grep master|awk '{print $1}'`;do oc debug node/$i -T  -- chroot /host bash -c "ls -ltrh /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/*/tls.crt"; done
Starting pod/ip-10-0-60-208us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
-rw-------. 1 root root 1.2K Mar  1 17:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt
-rw-------. 1 root root 1.2K Mar  1 17:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt
-rw-------. 1 root root 2.7K Mar  1 17:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt
-rw-------. 1 root root 2.4K Mar  1 17:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt
-rw-------. 1 root root 2.5K Mar  1 17:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 2.5K Mar  1 17:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 1.2K Mar  1 17:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt
-rw-------. 1 root root  973 Mar  1 17:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/user-serving-cert-000/tls.crt

Removing debug pod ...
Starting pod/ip-10-0-60-72us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
-rw-------. 1 root root 1.2K Mar  1 17:40 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt
-rw-------. 1 root root 2.4K Mar  1 17:40 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt
-rw-------. 1 root root 2.5K Mar  1 17:40 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 2.5K Mar  1 17:40 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 1.2K Mar  1 17:40 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt
-rw-------. 1 root root 1.2K Mar  1 17:40 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt
-rw-------. 1 root root  973 Mar  1 17:40 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/user-serving-cert-000/tls.crt
-rw-------. 1 root root 2.7K Mar  1 17:40 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt

Removing debug pod ...
Starting pod/ip-10-0-73-175us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
-rw-------. 1 root root 1.2K Mar  1 17:28 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt
-rw-------. 1 root root 1.2K Mar  1 17:28 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt
-rw-------. 1 root root 2.4K Mar  1 17:28 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt
-rw-------. 1 root root 2.5K Mar  1 17:28 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 2.5K Mar  1 17:28 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 1.2K Mar  1 17:28 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt
-rw-------. 1 root root  973 Mar  1 17:28 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/user-serving-cert-000/tls.crt
-rw-------. 1 root root 2.7K Mar  1 17:28 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt

Comment 21 Rahul Gangwar 2022-05-12 04:45:31 UTC

Shanna, Checking with dev will update you soon.

Comment 22 Shailendra Singh 2022-08-24 13:42:38 UTC

Hello Team,

Can we please get any update on this?

Comment 28 errata-xmlrpc 2023-01-12 16:54:48 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.8.56 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:0018

Note You need to log in before you can comment on or make changes to this bug.

amulmule
clasohm
dtambat
kvatteka
mfojtik
mirollin
mrobson
nkaushik
pawankum
rgangwar
sbiradar
shaising
shchan
simore
sttts
surbania
suyama
vlaad
wking
xxia