Bug 2065312 - RHOCP 4.9 with global read permissions on static-pod-resources/kube-controller-manager-certs secrets
Summary: RHOCP 4.9 with global read permissions on static-pod-resources/kube-controlle...
Status: CLOSED DUPLICATE of bug 2044622
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-controller-manager
Version: 4.9
Hardware: x86_64
OS: Linux
Target Milestone: ---
: ---
Assignee: Filip Krepinsky
QA Contact: zhou ying
Depends On:
TreeView+ depends on / blocked
Reported: 2022-03-17 16:05 UTC by Gabriel Scheffer
Modified: 2022-03-29 15:38 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2022-03-29 15:38:50 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Gabriel Scheffer 2022-03-17 16:05:06 UTC
Description of problem:
The compliance operator is reporting the "ocp4-cis-node-master-file-permissions-openshift-pki-cert-files" and "ocp4-cis-node-master-file-permissions-openshift-pki-key-files" rules like failed.

There are no MachineConfig that is overriding the permission on the files.
The files with read globally permissions are the following, on all 3 masters the same behavior:

-rw-r--r--. 1 root root 1.7K Mar 11 04:33 /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/kube-controller-manager-client-cert-key/tls.key
-rw-r--r--. 1 root root 1.2K Mar 11 04:33 /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/kube-controller-manager-client-cert-key/tls.crt
-rw-r--r--. 1 root root 1.7K Mar 11 04:33 /etc/kubernetes/static-pod-resources/kube-scheduler-certs/secrets/kube-scheduler-client-cert-key/tls.key
-rw-r--r--. 1 root root 1.2K Mar 11 04:33 /etc/kubernetes/static-pod-resources/kube-scheduler-certs/secrets/kube-scheduler-client-cert-key/tls.crt
-rw-r--r--. 1 root root 1.3K Mar 11 23:49 /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/csr-signer/tls.crt
-rw-r--r--. 1 root root 1.7K Mar 11 23:49 /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/csr-signer/tls.key

As a workaround: 2 weeks ago, the customer ran "sudo chmod 0600 /etc/kubernetes/static-pod-resources/kube-*/secrets/*/tls.crt" and "sudo chmod 0600 /etc/kubernetes/static-pod-resources/*/*/*/*.key" inside masters nodes just like the openscap report recommends, but now this rules have appeared again as failed, because something has renew some pki files.

According to the "Red Hat OpenShift 4 Hardening Guide v1.1" document, the rule does not need remediation because the file permissions are managed by the operator.

Version-Release number of selected component (if applicable):

How reproducible:
Install a cluster version 4.9.17+ with Compliance Operator v0.1.48 and configure Default Scan for profile ocp4-cis. It will need a couple days/weeks so the operator refresh/rotate those 6 files above.

Steps to Reproduce:

Actual results:
4 cert files from kube-controller-manager and 2 files from kube-scheduler with global read permissions. (aka 644)

Expected results:
All files 6 mentioned with 600 permission.

Additional info:
In attachment.

Comment 4 Filip Krepinsky 2022-03-28 19:20:23 UTC
Hi, sorry for a late response,

this should be fixed already by:

- https://github.com/openshift/library-go/pull/1202


- https://github.com/openshift/cluster-kube-scheduler-operator/pull/405
- https://github.com/openshift/cluster-kube-controller-manager-operator/pull/593

Can you please update to latest 4.9 and check if it fixes this issue for you?

Note You need to log in before you can comment on or make changes to this bug.