Description of problem: The compliance operator is reporting the "ocp4-cis-node-master-file-permissions-openshift-pki-cert-files" and "ocp4-cis-node-master-file-permissions-openshift-pki-key-files" rules like failed. There are no MachineConfig that is overriding the permission on the files. The files with read globally permissions are the following, on all 3 masters the same behavior: -rw-r--r--. 1 root root 1.7K Mar 11 04:33 /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/kube-controller-manager-client-cert-key/tls.key -rw-r--r--. 1 root root 1.2K Mar 11 04:33 /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/kube-controller-manager-client-cert-key/tls.crt -rw-r--r--. 1 root root 1.7K Mar 11 04:33 /etc/kubernetes/static-pod-resources/kube-scheduler-certs/secrets/kube-scheduler-client-cert-key/tls.key -rw-r--r--. 1 root root 1.2K Mar 11 04:33 /etc/kubernetes/static-pod-resources/kube-scheduler-certs/secrets/kube-scheduler-client-cert-key/tls.crt -rw-r--r--. 1 root root 1.3K Mar 11 23:49 /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/csr-signer/tls.crt -rw-r--r--. 1 root root 1.7K Mar 11 23:49 /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/csr-signer/tls.key As a workaround: 2 weeks ago, the customer ran "sudo chmod 0600 /etc/kubernetes/static-pod-resources/kube-*/secrets/*/tls.crt" and "sudo chmod 0600 /etc/kubernetes/static-pod-resources/*/*/*/*.key" inside masters nodes just like the openscap report recommends, but now this rules have appeared again as failed, because something has renew some pki files. According to the "Red Hat OpenShift 4 Hardening Guide v1.1" document, the rule does not need remediation because the file permissions are managed by the operator. Version-Release number of selected component (if applicable): 4.9.17 How reproducible: Install a cluster version 4.9.17+ with Compliance Operator v0.1.48 and configure Default Scan for profile ocp4-cis. It will need a couple days/weeks so the operator refresh/rotate those 6 files above. Steps to Reproduce: 1. 2. 3. Actual results: 4 cert files from kube-controller-manager and 2 files from kube-scheduler with global read permissions. (aka 644) Expected results: All files 6 mentioned with 600 permission. Additional info: In attachment.
Hi, sorry for a late response, this should be fixed already by: - https://github.com/openshift/library-go/pull/1202 and - https://github.com/openshift/cluster-kube-scheduler-operator/pull/405 - https://github.com/openshift/cluster-kube-controller-manager-operator/pull/593 Can you please update to latest 4.9 and check if it fixes this issue for you?