According http://static.open-scap.org/ssg-guides/ssg-ocp4-guide-cis.html#xccdf_org.ssgproject.content_rule_rbac_wildcard_use the usage of wildcard in ClusterRole and Roles should be prevented as best as possible. Further, one should refrain from using `cluster-admin` permissions to comply with CIS security requirements. It's therefore requested to review the below serviceAccount and their associated Roles as they were found not to be compliant with the above and restrict permissions further to the extend possible. - system:serviceaccount:openshift-cluster-node-tuning-operator:cluster-node-tuning-operator
Thanks @sreber@redhat, can you please review the proposed fix for this BZ in https://github.com/openshift/cluster-node-tuning-operator/pull/333?
(In reply to dagray from comment #1) > Thanks @sreber@redhat, can you please review the proposed fix for this BZ in > https://github.com/openshift/cluster-node-tuning-operator/pull/333? Not sure if you want me to comment here or in the pull request. Definitely the changes you have proposed look promising and are going into the right direction. If we can get this to work it should definitely satisfy the requirement mentioned.
Verified Result: [ocpadmin@ec2-18-217-45-133 ~]$ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.11.0-0.nightly-2022-04-12-000004 True False 7m5s Cluster version is 4.11.0-0.nightly-2022-04-12-000004 [ocpadmin@ec2-18-217-45-133 ~]$ oc project openshift-cluster-node-tuning-operator Now using project "openshift-cluster-node-tuning-operator" on server "https://api.liqcui-oc411ci.qe.devcluster.openshift.com:6443". [ocpadmin@ec2-18-217-45-133 ~]$ oc get role |grep tun [ocpadmin@ec2-18-217-45-133 ~]$ oc get clusterrole |grep tun cluster-node-tuning-operator 2022-04-12T05:27:26Z cluster-node-tuning:tuned 2022-04-12T05:27:31Z [ocpadmin@ec2-18-217-45-133 ~]$ oc get clusterrole cluster-node-tuning:tuned -oyaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" creationTimestamp: "2022-04-12T05:27:31Z" name: cluster-node-tuning:tuned ownerReferences: - apiVersion: config.openshift.io/v1 kind: ClusterVersion name: version uid: 3a99d573-a903-4e42-8aa8-498970a76512 resourceVersion: "2039" uid: 2c0126e9-7901-45c2-bc3b-b9a2d27e026b rules: - apiGroups: - tuned.openshift.io resources: - tuneds verbs: - get - list - watch - apiGroups: - tuned.openshift.io resources: - profiles verbs: - get - list - update - watch - patch - apiGroups: - security.openshift.io resourceNames: - privileged resources: - securitycontextconstraints verbs: - use [ocpadmin@ec2-18-217-45-133 ~]$ oc get clusterrole cluster-node-tuning-operator -oyaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" creationTimestamp: "2022-04-12T05:27:26Z" name: cluster-node-tuning-operator ownerReferences: - apiVersion: config.openshift.io/v1 kind: ClusterVersion name: version uid: 3a99d573-a903-4e42-8aa8-498970a76512 resourceVersion: "1923" uid: 99430ca1-8e93-43ae-a92e-20fbbfcc4149 rules: - apiGroups: - tuned.openshift.io resources: - tuneds verbs: - create - get - delete - list - update - watch - patch - apiGroups: - tuned.openshift.io resources: - tuneds/finalizers verbs: - update - apiGroups: - tuned.openshift.io resources: - profiles verbs: - create - get - delete - list - update - watch - patch - apiGroups: - tuned.openshift.io resources: - profiles/finalizers verbs: - update - apiGroups: - apps resources: - daemonsets verbs: - create - get - delete - list - update - watch - apiGroups: - security.openshift.io resources: - securitycontextconstraints verbs: - use - apiGroups: - "" resources: - configmaps - events verbs: - create - get - delete - list - update - watch - patch - apiGroups: - "" resources: - nodes - pods verbs: - get - list - watch - apiGroups: - "" resources: - nodes/metrics - nodes/specs verbs: - get - apiGroups: - config.openshift.io resources: - clusteroperators - infrastructures verbs: - create - get - list - watch - apiGroups: - config.openshift.io resources: - clusteroperators/status - clusteroperators/finalizers verbs: - update - apiGroups: - machineconfiguration.openshift.io resources: - kubeletconfigs - machineconfigs verbs: - create - get - delete - list - update - watch - apiGroups: - machineconfiguration.openshift.io resources: - machineconfigpools verbs: - get - list - watch - apiGroups: - coordination.k8s.io resources: - leases verbs: - create - get - update - patch - apiGroups: - node.k8s.io resources: - runtimeclasses verbs: - create - get - delete - list - update - watch - apiGroups: - performance.openshift.io resources: - '*' verbs: - '*' - apiGroups: - operators.coreos.com resources: - clusterserviceversions - operatorgroups - subscriptions verbs: - get - delete - list - update - watch and execute a test case, no issue
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069