Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RKE2] CIS Benchmark 1.24 requires file permissions to be 600 instead of 644 #4473

Closed
andypitcher opened this issue Jul 14, 2023 · 6 comments
Closed

[RKE2] CIS Benchmark 1.24 requires file permissions to be 600 instead of 644 #4473

andypitcher opened this issue Jul 14, 2023 · 6 comments
Assignees
@dereknola @aganesh-suse
Milestone
v1.28.3+rke2r1

Comments

@andypitcher
Copy link

andypitcher commented Jul 14, 2023
edited
Loading

This issue is to improve the default file permissions of RKE2 files based on CIS (since CIS-1.24) new requirements.

Here is the list of concerned CIS checks with their concerned files to be set from 644 to 600.

  • 1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)
    File: /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml
  • 1.1.3 Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)
    File: /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml
  • 1.1.5 Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)
    File: /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml
  • 1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)
    File: /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml
  • 1.1.13 Ensure that the admin.conf file permissions are set to 644 or more restrictive (Automated)
    File: /var/lib/rancher/rke2/server/cred/admin.kubeconfig
  • 1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)
    File: /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig
  • 1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)
    File: /var/lib/rancher/rke2/server/cred/controller.kubeconfig
  • 1.2.19: Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)
    File: /var/lib/rancher/rke2/server/tls/*
  • 4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Manual)
    File: /var/lib/rancher/rke2/agent/kubeproxy.kubeconfig
  • 4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)
    File: /var/lib/rancher/rke2/agent/kubelet.kubeconfig
  • 4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Manual)
    File: /var/lib/rancher/rke2/server/tls/server-ca.crt
  • 4.1.9 Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive (Automated)
    File: /var/lib/rancher/rke2/agent/kubelet.kubeconfig

Note:

With regards to the new permission constraints, we have two options for a given check/file mentioned above:

  • Improve K3s file permissions to 600 (preferable).
    or
  • Deviate from CIS recommendation and update the hardening guide and profile to 644, with a remediation/explanation.

Related issue: rancher/rancher#41131 (comment)

cc @rayandas
@andypitcher
Copy link
Author

andypitcher commented Jul 17, 2023
edited
Loading

Linking K3S similar issue to help: k3s-io/k3s#7975

@Priyashetty17 Priyashetty17 mentioned this issue Jul 19, 2023
Closed
This was referenced Sep 21, 2023
Closed
Open
@dereknola
Copy link
Contributor

dereknola commented Oct 2, 2023
edited
Loading

This was resolved back in the July set of releases, v1.27.4+rke2r1

@andypitcher
Copy link
Author

andypitcher commented Oct 3, 2023
edited
Loading

@dereknola would you mind sharing the PR/commits related ? I wasn't able to find the permission fixes in v1.27.4+rke2r1.

Here are the remaining permission issues we found by running CIS-1.7 against rke2 1.27.5:

Fail	1.1.1	Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)
Fail	1.1.3	Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)
Fail	1.1.5	Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)
Fail	1.1.7	Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)

Related issue : rancher/rancher#42971

@dereknola dereknola reopened this Oct 3, 2023
@dereknola
Copy link
Contributor

@andypitcher got it, yes the pod-manifests have not yet been resolved. I will have a PR up for that today, and it will go into October releases.

@andypitcher
Copy link
Author

@dereknola sounds good, if you can link the PR to this issue, thanks !
cc @Priyashetty17

@dereknola dereknola mentioned this issue Oct 3, 2023
Merged
@dereknola dereknola added this to the v1.28.3+rke2r1 milestone Oct 4, 2023
This was referenced Oct 4, 2023
Closed
Closed
Closed
@aganesh-suse aganesh-suse self-assigned this Oct 4, 2023
@aganesh-suse
Copy link

aganesh-suse commented Oct 4, 2023
edited
Loading

Validated on master branch with commit a52b3ab

Environment Details

Infrastructure

  • Cloud
  • Hosted

Node(s) CPU architecture, OS, and Version:

cat /etc/os-release | grep PRETTY
PRETTY_NAME="Ubuntu 22.04.2 LTS"

Cluster Configuration:

HA: 3 server, 1 agent

Config.yaml:

token: secret
write-kubeconfig-mode: "0644"
node-external-ip: 1.1.1.1
profile: "cis"

Testing Steps

  1. Copy config.yaml
$ sudo mkdir -p /etc/rancher/rke2 && sudo cp config.yaml /etc/rancher/rke2
  1. Install RKE2
curl -sfL https://get.rke2.io | sudo INSTALL_RKE2_COMMIT='a52b3abf608e45d31c04589c1fc118e065ea06e4' INSTALL_RKE2_TYPE='server' INSTALL_RKE2_METHOD=tar sh -
  1. Follow https://docs.rke2.io/security/hardening_guide
$ sudo useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U
$ sudo cp -f /usr/local/share/rke2/rke2-cis-sysctl.conf /etc/sysctl.d/60-rke2-cis.conf 
$ cat /etc/sysctl.d/60-rke2-cis.conf 
vm.panic_on_oom=0
vm.overcommit_memory=1
kernel.panic=10
kernel.panic_on_oops=1
$ sudo systemctl restart systemd-sysctl 
$ sudo systemctl enable --now rke2-server
or 
$ sudo systemctl enable --now rke2-agent
  1. Verify files in following directories have a permission of 600.
/var/lib/rancher/rke2/agent/pod-manifests/
/var/lib/rancher/rke2/server/cred
/var/lib/rancher/rke2/agent/

Validation Results:

  • rke2 version used for validation:
rke2 -v
rke2 version v1.28.2+dev.a52b3abf (a52b3abf608e45d31c04589c1fc118e065ea06e4)
go version go1.20.8 X:boringcrypto

Verify files in following directories have a permission of 600:

sudo ls -lrt /var/lib/rancher/rke2/agent/pod-manifests/
total 36
-rw------- 1 root root  3338 Oct  4 20:20 etcd.yaml
-rw------- 1 root root 10251 Oct  4 20:21 kube-apiserver.yaml
-rw------- 1 root root  5873 Oct  4 20:22 kube-controller-manager.yaml
-rw------- 1 root root  2729 Oct  4 20:22 kube-scheduler.yaml
-rw------- 1 root root  3765 Oct  4 20:22 cloud-controller-manager.yaml
-rw------- 1 root root  2442 Oct  4 20:22 kube-proxy.yaml

sudo ls -lrt /var/lib/rancher/rke2/server/cred
total 40
-rw------- 1 root root 485 Oct  4 20:20 supervisor.kubeconfig
-rw------- 1 root root 475 Oct  4 20:20 admin.kubeconfig
-rw------- 1 root root 485 Oct  4 20:20 controller.kubeconfig
-rw------- 1 root root 483 Oct  4 20:20 scheduler.kubeconfig
-rw------- 1 root root 493 Oct  4 20:20 api-server.kubeconfig
-rw------- 1 root root 507 Oct  4 20:20 cloud-controller.kubeconfig
-rw------- 1 root root  61 Oct  4 20:20 passwd
-rw------- 1 root root  97 Oct  4 20:20 ipsec.psk
-rw------- 1 root root 245 Oct  4 20:20 encryption-config.json
-rw------- 1 root root  70 Oct  4 20:20 encryption-state.json

sudo ls -lrt /var/lib/rancher/rke2/agent/
total 72
drwxr-xr-x  2 root root 4096 Oct  4 20:20 images
-rw-------  1 root root  570 Oct  4 20:20 client-ca.crt
-rw-------  1 root root  570 Oct  4 20:20 server-ca.crt
-rw-------  1 root root  227 Oct  4 20:20 serving-kubelet.key
-rw-------  1 root root 1230 Oct  4 20:20 serving-kubelet.crt
-rw-------  1 root root  464 Oct  4 20:21 kubelet.kubeconfig
-rw-------  1 root root  227 Oct  4 20:21 client-kubelet.key
-rw-------  1 root root 1193 Oct  4 20:21 client-kubelet.crt
-rw-------  1 root root  470 Oct  4 20:21 kubeproxy.kubeconfig
-rw-------  1 root root  227 Oct  4 20:21 client-kube-proxy.key
-rw-------  1 root root 1149 Oct  4 20:21 client-kube-proxy.crt
-rw-------  1 root root  480 Oct  4 20:21 rke2controller.kubeconfig
-rw-------  1 root root  227 Oct  4 20:21 client-rke2-controller.key
-rw-------  1 root root 1157 Oct  4 20:21 client-rke2-controller.crt
drwx------  3 root root 4096 Oct  4 20:21 etc
drwxr-xr-x  2 root root 4096 Oct  4 20:21 logs
drwx------ 15 root root 4096 Oct  4 20:21 containerd
drwx------  2 root root 4096 Oct  4 20:22 pod-manifests

Cluster Status:

$ kubectl get nodes
NAME               STATUS   ROLES                       AGE    VERSION
ip-1               Ready    control-plane,etcd,master   151m   v1.28.2+rke2r1
ip-2               Ready    control-plane,etcd,master   153m   v1.28.2+rke2r1
ip-3               Ready    <none>                      145m   v1.28.2+rke2r1
ip-4               Ready    control-plane,etcd,master   148m   v1.28.2+rke2r1

$ kubectl get pods -A
NAMESPACE     NAME                                                   READY   STATUS      RESTARTS   AGE
kube-system   cloud-controller-manager-ip-1                          1/1     Running     0          151m
kube-system   cloud-controller-manager-ip-2                          1/1     Running     0          154m
kube-system   cloud-controller-manager-ip-4                          1/1     Running     0          147m
kube-system   etcd-ip-1                                              1/1     Running     0          150m
kube-system   etcd-ip-2                                              1/1     Running     0          154m
kube-system   etcd-ip-4                                              1/1     Running     0          147m
kube-system   helm-install-rke2-canal-f689k                          0/1     Completed   0          154m
kube-system   helm-install-rke2-coredns-ntwwh                        0/1     Completed   0          154m
kube-system   helm-install-rke2-ingress-nginx-v644z                  0/1     Completed   0          154m
kube-system   helm-install-rke2-metrics-server-bkv42                 0/1     Completed   0          154m
kube-system   helm-install-rke2-snapshot-controller-c4xgl            0/1     Completed   1          154m
kube-system   helm-install-rke2-snapshot-controller-crd-5ncnt        0/1     Completed   0          154m
kube-system   helm-install-rke2-snapshot-validation-webhook-krfk8    0/1     Completed   0          154m
kube-system   kube-apiserver-ip-1                                    1/1     Running     0          150m
kube-system   kube-apiserver-ip-2                                    1/1     Running     0          153m
kube-system   kube-apiserver-ip-4                                    1/1     Running     0          148m
kube-system   kube-controller-manager-ip-1                           1/1     Running     0          151m
kube-system   kube-controller-manager-ip-2                           1/1     Running     0          154m
kube-system   kube-controller-manager-ip-4                           1/1     Running     0          147m
kube-system   kube-proxy-ip-1                                        1/1     Running     0          150m
kube-system   kube-proxy-ip-2                                        1/1     Running     0          154m
kube-system   kube-proxy-ip-172-31-29-144                            1/1     Running     0          146m
kube-system   kube-proxy-ip-4                                        1/1     Running     0          147m
kube-system   kube-scheduler-ip-1                                    1/1     Running     0          151m
kube-system   kube-scheduler-ip-2                                    1/1     Running     0          154m
kube-system   kube-scheduler-ip-4                                    1/1     Running     0          147m
kube-system   rke2-canal-fqm8g                                       2/2     Running     0          146m
kube-system   rke2-canal-lmfpm                                       2/2     Running     0          152m
kube-system   rke2-canal-pd9kk                                       2/2     Running     0          148m
kube-system   rke2-canal-ptcx4                                       2/2     Running     0          153m
kube-system   rke2-coredns-rke2-coredns-67f86d96c-fzp85              1/1     Running     0          151m
kube-system   rke2-coredns-rke2-coredns-67f86d96c-qd9wt              1/1     Running     0          153m
kube-system   rke2-coredns-rke2-coredns-autoscaler-d97d9cd9f-4nk8m   1/1     Running     0          153m
kube-system   rke2-ingress-nginx-controller-2t284                    1/1     Running     0          147m
kube-system   rke2-ingress-nginx-controller-7bpqb                    1/1     Running     0          146m
kube-system   rke2-ingress-nginx-controller-ndtxx                    1/1     Running     0          152m
kube-system   rke2-ingress-nginx-controller-nf5xr                    1/1     Running     0          150m
kube-system   rke2-metrics-server-c6fb46b64-f88jl                    1/1     Running     0          153m
kube-system   rke2-snapshot-controller-59cc9cd8f4-c2fbm              1/1     Running     0          153m
kube-system   rke2-snapshot-validation-webhook-54c5989b65-9m7gk      1/1     Running     0          153m

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dereknola dereknola

@aganesh-suse aganesh-suse

Labels
None yet
Projects
None yet
Milestone
v1.28.3+rke2r1
Development

No branches or pull requests
3 participants
@dereknola @andypitcher @aganesh-suse