Bug 2026089 - Different file permission for secrets/user-serving-cert-000/tls.crt and secrets/user-serving-cert-000/tls.key
Summary: Different file permission for secrets/user-serving-cert-000/tls.crt and secre...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 4.7
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: ---
: 4.8.z
Assignee: Abu Kashem
QA Contact: Rahul Gangwar
URL:
Whiteboard:
Depends On: 1977730
Blocks: 2013838
TreeView+ depends on / blocked
 
Reported: 2021-11-23 18:01 UTC by OpenShift BugZilla Robot
Modified: 2023-04-13 16:04 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-01-12 16:54:48 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-kube-apiserver-operator pull 1320 0 None Merged [release-4.8] Bug 2026089: library-go bump 2022-03-15 18:39:50 UTC
Github openshift library-go pull 1254 0 None Merged [release-4.8] Bug 2026089: change write storage chmod 2022-03-15 18:39:54 UTC
Red Hat Product Errata RHBA-2022:0021 0 None None None 2022-01-11 22:31:35 UTC
Red Hat Product Errata RHBA-2023:0018 0 None None None 2023-01-12 16:54:55 UTC

Comment 6 Rahul Gangwar 2021-12-22 16:25:19 UTC
oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.0-0.nightly-2021-12-21-212247   True        False         9m49s   Cluster version is 4.8.0-0.nightly-2021-12-21-212247

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem  -subj "/CN=<API_FQDN>"
Generating a 2048 bit RSA private key
................................................................................................................................................+++
.......+++
writing new private key to 'key.pem'
-----

oc create secret tls api-secret --cert=certificate.pem  --key=key.pem  -n openshift-config
secret/api-secret created

 oc get apiserver/cluster -o yaml
      servingCertificate:
        name: api-secret

 for i in `oc get node|grep master|awk '{print $1}'`;do oc debug node/$i -T  -- chroot /host bash -c "ls -ltrh /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/*/tls.crt"; done
Starting pod/ip-10-0-153-141us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
-rw-------. 1 root root 1.2K Dec 22 16:03 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt
-rw-------. 1 root root 2.5K Dec 22 16:03 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 1.2K Dec 22 16:03 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt
-rw-------. 1 root root 1.2K Dec 22 16:03 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt
-rw-------. 1 root root 2.4K Dec 22 16:03 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt
-rw-------. 1 root root 2.5K Dec 22 16:03 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 1.1K Dec 22 16:03 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/user-serving-cert-000/tls.crt
-rw-------. 1 root root 2.7K Dec 22 16:03 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt

Removing debug pod ...
Starting pod/ip-10-0-170-127us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
-rw-------. 1 root root 2.5K Dec 22 16:16 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 2.5K Dec 22 16:16 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 1.2K Dec 22 16:16 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt
-rw-------. 1 root root 1.2K Dec 22 16:16 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt
-rw-------. 1 root root 1.2K Dec 22 16:16 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt
-rw-------. 1 root root 1.1K Dec 22 16:16 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/user-serving-cert-000/tls.crt
-rw-------. 1 root root 2.7K Dec 22 16:16 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt
-rw-------. 1 root root 2.4K Dec 22 16:16 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt

Removing debug pod ...
Starting pod/ip-10-0-212-167us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
-rw-------. 1 root root 1.2K Dec 22 16:10 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt
-rw-------. 1 root root 2.4K Dec 22 16:10 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt
-rw-------. 1 root root 2.5K Dec 22 16:10 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 2.5K Dec 22 16:10 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 1.2K Dec 22 16:10 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt
-rw-------. 1 root root 1.2K Dec 22 16:10 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt
-rw-------. 1 root root 1.1K Dec 22 16:10 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/user-serving-cert-000/tls.crt
-rw-------. 1 root root 2.7K Dec 22 16:10 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt

Removing debug pod ...

Comment 9 errata-xmlrpc 2022-01-11 22:31:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.8.26 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:0021

Comment 15 Rahul Gangwar 2022-03-01 17:45:00 UTC
oc adm release info --commits registry.ci.openshift.org/ocp/release:4.8.0-0.nightly-2022-02-28-225103|grep -i kube-apiserver-operator
  cluster-kube-apiserver-operator                https://github.com/openshift/cluster-kube-apiserver-operator                25c54939bdd02bc8e68f1329fa3ebe16904b3282

git log --date local --pretty="%h %an %cd - %s"  25c54939 |grep -i 1320
25c54939b OpenShift Merge Robot Mon Feb 28 15:29:23 2022 - Merge pull request #1320 from EmilyM1/bump-for-4.8-libgo

Before changes 
oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.0-0.nightly-2022-02-28-225103   True        False         163m    Cluster version is 4.8.0-0.nightly-2022-02-28-225103
rahulgangwar@rgangwar-mac cluster-kube-apiserver-operator % for i in `oc get node|grep master|awk '{print $1}'`;do oc debug node/$i -T  -- chroot /host bash -c "ls -ltrh /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/*/tls.crt"; done
Starting pod/ip-10-0-60-208us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
-rw-------. 1 root root 1.2K Mar  1 11:36 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt
-rw-------. 1 root root 1.2K Mar  1 11:36 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt
-rw-------. 1 root root 1.2K Mar  1 11:36 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt
-rw-------. 1 root root 2.4K Mar  1 11:36 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt
-rw-------. 1 root root 2.5K Mar  1 11:36 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 2.5K Mar  1 11:36 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 2.7K Mar  1 11:36 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt

Removing debug pod ...
Starting pod/ip-10-0-60-72us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
-rw-------. 1 root root 1.2K Mar  1 11:43 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt
-rw-------. 1 root root 2.5K Mar  1 11:43 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 1.2K Mar  1 11:43 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt
-rw-------. 1 root root 1.2K Mar  1 11:43 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt
-rw-------. 1 root root 2.4K Mar  1 11:43 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt
-rw-------. 1 root root 2.5K Mar  1 11:43 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 2.7K Mar  1 11:43 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt

Removing debug pod ...
Starting pod/ip-10-0-73-175us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
-rw-------. 1 root root 1.2K Mar  1 11:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt
-rw-------. 1 root root 1.2K Mar  1 11:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt
-rw-------. 1 root root 2.7K Mar  1 11:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt
-rw-------. 1 root root 2.4K Mar  1 11:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt
-rw-------. 1 root root 2.5K Mar  1 11:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 2.5K Mar  1 11:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 1.2K Mar  1 11:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt

After changes

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem  -subj "/CN=test.com"  
Generating a 2048 bit RSA private key
...........................................................+++
...................................................................+++
writing new private key to 'key.pem'
-----
 oc create secret tls api-secret --cert=certificate.pem  --key=key.pem  -n openshift-config

secret/api-secret created
 oc patch --type=merge apiserver/cluster -p "
spec:
  servingCerts:
    namedCertificates:
    - names:
      - test.com                
      servingCertificate:
        name: api-secret     

 oc get apiserver cluster -o yaml
servingCerts:
    namedCertificates:
    - names:
      - test.com
      servingCertificate:
        name: api-secret

 for i in `oc get node|grep master|awk '{print $1}'`;do oc debug node/$i -T  -- chroot /host bash -c "ls -ltrh /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/*/tls.crt"; done
Starting pod/ip-10-0-60-208us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
-rw-------. 1 root root 1.2K Mar  1 17:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt
-rw-------. 1 root root 1.2K Mar  1 17:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt
-rw-------. 1 root root 2.7K Mar  1 17:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt
-rw-------. 1 root root 2.4K Mar  1 17:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt
-rw-------. 1 root root 2.5K Mar  1 17:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 2.5K Mar  1 17:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 1.2K Mar  1 17:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt
-rw-------. 1 root root  973 Mar  1 17:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/user-serving-cert-000/tls.crt

Removing debug pod ...
Starting pod/ip-10-0-60-72us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
-rw-------. 1 root root 1.2K Mar  1 17:40 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt
-rw-------. 1 root root 2.4K Mar  1 17:40 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt
-rw-------. 1 root root 2.5K Mar  1 17:40 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 2.5K Mar  1 17:40 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 1.2K Mar  1 17:40 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt
-rw-------. 1 root root 1.2K Mar  1 17:40 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt
-rw-------. 1 root root  973 Mar  1 17:40 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/user-serving-cert-000/tls.crt
-rw-------. 1 root root 2.7K Mar  1 17:40 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt

Removing debug pod ...
Starting pod/ip-10-0-73-175us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
-rw-------. 1 root root 1.2K Mar  1 17:28 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt
-rw-------. 1 root root 1.2K Mar  1 17:28 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt
-rw-------. 1 root root 2.4K Mar  1 17:28 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt
-rw-------. 1 root root 2.5K Mar  1 17:28 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 2.5K Mar  1 17:28 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt
-rw-------. 1 root root 1.2K Mar  1 17:28 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt
-rw-------. 1 root root  973 Mar  1 17:28 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/user-serving-cert-000/tls.crt
-rw-------. 1 root root 2.7K Mar  1 17:28 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt

Comment 21 Rahul Gangwar 2022-05-12 04:45:31 UTC
Shanna, Checking with dev will update you soon.

Comment 22 Shailendra Singh 2022-08-24 13:42:38 UTC
Hello Team,

Can we please get any update on this?

Comment 28 errata-xmlrpc 2023-01-12 16:54:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.8.56 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:0018


Note You need to log in before you can comment on or make changes to this bug.