Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document expected failures for file permission issues on RKE and RKE2 Clusters when running CIS Scan #42971

Open
Priyashetty17 opened this issue Sep 27, 2023 · 2 comments
Open

Document expected failures for file permission issues on RKE and RKE2 Clusters when running CIS Scan #42971

Priyashetty17 opened this issue Sep 27, 2023 · 2 comments
Assignees
@andypitcher
Labels
feature/charts-cis-benchmark kind/bug Issues that are defects reported by users or that we know have reached a real release release-note Note this issue in the milestone's release notes status/release-note-added team/security
Milestone
v2.9.0

Comments

@Priyashetty17
Copy link
Contributor

Issue Description:
Currently, there are CIS checks related to file permissions that are failing on RKE and RKE2 clusters with CIS v1.7 profiles. These failures are expected as of now but will need to be addressed in Q4 release with GH-42012 for RKE and rancher/rke2#4473 for RKE2. However, if these are not addressed in RKE and RKE2, it is important to document these expected failures in the hardening guides for Q4 release.

With CIS v1.7 profile (K8s v1.27.5):

  • Here are the CIS checks related to file permissions that are failing on RKE hardened cluster:
State	Number	Description
Fail	4.1.7	Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)

ubuntu@ip-1xx-xx:~$ sudo stat -c permissions=%a /etc/kubernetes/ssl/kube-ca.pem
permissions=644
  • Here are the CIS checks related to file permissions that are failing on both RKE2 permissive and hardened clusters:
State	Number	Description
Fail	1.1.1	Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)
Fail	1.1.3	Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)
Fail	1.1.5	Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)
Fail	1.1.7	Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)

1.1.1:
ubuntu@ip-1xx-xx:~$ sudo stat -c permissions=%a /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml
permissions=644


1.1.3:
ubuntu@ip-1xx-xx:~$ sudo /bin/sh -c 'if test -e /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml; then stat -c permissions=%a /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml; fi'
permissions=644

1.1.5:
ubuntu@ip-1xx-xx:~$ sudo /bin/sh -c 'if test -e /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml; then stat -c permissions=%a /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml; fi'
permissions=644

1.1.7:
ubuntu@ip-1xx-xx:~$ sudo /bin/sh -c 'if test -e /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml; then find /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml -name '*etcd*' | xargs stat -c permissions=%a; fi'
permissions=644

CC @andypitcher @JonCrowther @macedogm @rayandas
@Priyashetty17 Priyashetty17 added kind/bug Issues that are defects reported by users or that we know have reached a real release team/area1 labels Sep 27, 2023
@Priyashetty17 Priyashetty17 added this to the v2.8.0 milestone Sep 27, 2023
@andypitcher andypitcher mentioned this issue Sep 27, 2023
Closed
@andypitcher andypitcher mentioned this issue Oct 3, 2023
Closed
@samjustus
Copy link
Collaborator

#42012

@samjustus samjustus modified the milestones: v2.8.0, 2024-v2.8x-Backlog Oct 4, 2023
@vivek-shilimkar
Copy link
Member

The same failures are observed on CIS Profile 1.8 and should be documented as well.

@vivek-shilimkar vivek-shilimkar mentioned this issue Jan 17, 2024
Closed
@samjustus samjustus modified the milestones: v2.8-Next1, v2.8.3, v2.9-Next1 Jan 18, 2024
@vivek-shilimkar vivek-shilimkar mentioned this issue Jan 19, 2024
Closed
2 tasks
This was referenced Jan 19, 2024
Closed
Closed
@rishabhmsra rishabhmsra mentioned this issue Feb 14, 2024
Closed
3 tasks
@samjustus samjustus added the release-note Note this issue in the milestone's release notes label Feb 15, 2024
This was referenced Mar 13, 2024
Closed
Closed
@vivek-shilimkar vivek-shilimkar mentioned this issue Jun 21, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andypitcher andypitcher

Labels
feature/charts-cis-benchmark kind/bug Issues that are defects reported by users or that we know have reached a real release release-note Note this issue in the milestone's release notes status/release-note-added team/security
Projects
None yet
Milestone
v2.9.0
Development

No branches or pull requests
6 participants
@andypitcher @Priyashetty17 @Jono-SUSE-Rancher @LucasSaintarbor @vivek-shilimkar @samjustus