-
Notifications
You must be signed in to change notification settings - Fork 255
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RKE2] CIS Benchmark 1.24 requires file permissions to be 600 instead of 644 #4473
Comments
Linking |
This was resolved back in the July set of releases, v1.27.4+rke2r1 |
@dereknola would you mind sharing the PR/commits related ? I wasn't able to find the permission fixes in v1.27.4+rke2r1. Here are the remaining permission issues we found by running CIS-1.7 against
Related issue : rancher/rancher#42971 |
@andypitcher got it, yes the pod-manifests have not yet been resolved. I will have a PR up for that today, and it will go into October releases. |
@dereknola sounds good, if you can link the PR to this issue, thanks ! |
Validated on master branch with commit a52b3abEnvironment DetailsInfrastructure
Node(s) CPU architecture, OS, and Version:
Cluster Configuration:
Config.yaml:
Testing Steps
Validation Results:
Verify files in following directories have a permission of 600:
Cluster Status:
|
This issue is to improve the default file permissions of RKE2 files based on CIS (since CIS-1.24) new requirements.
Here is the list of concerned CIS checks with their concerned files to be set from
644
to600
.File:
/var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml
File:
/var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml
File:
/var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml
File:
/var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml
File:
/var/lib/rancher/rke2/server/cred/admin.kubeconfig
File:
/var/lib/rancher/rke2/server/cred/scheduler.kubeconfig
File:
/var/lib/rancher/rke2/server/cred/controller.kubeconfig
File:
/var/lib/rancher/rke2/server/tls/*
File:
/var/lib/rancher/rke2/agent/kubeproxy.kubeconfig
File:
/var/lib/rancher/rke2/agent/kubelet.kubeconfig
File:
/var/lib/rancher/rke2/server/tls/server-ca.crt
File:
/var/lib/rancher/rke2/agent/kubelet.kubeconfig
Note:
With regards to the new permission constraints, we have two options for a given check/file mentioned above:
600
(preferable).or
644
, with a remediation/explanation.Related issue: rancher/rancher#41131 (comment)
cc @rayandas
The text was updated successfully, but these errors were encountered: