Updated Compliance Operator CIS profile v1.4 fails on file permissions mode 600 and no remediation is available

Solution Verified - Updated

Environment

  • Red Hat OpenShift Container Platform (RHOCP) 4
    • 4.12.36 or older
    • 4.13.14 or older

Issue

After upgrading the Compliance Operator to version 1.2.0, CIS OpenShift scans fails the following controls:

  • 1.1.1
  • 1.1.3
  • 1.1.5
  • 1.1.7
  • 1.1.13
  • 1.1.15
  • 1.1.17

These rules are failing due to tightened permissions advised through the Content from www.cisecurity.org is not included.CIS Red Hat OpenShift 1.4.0 benchmark, and OpenShift Container Platform components are in the process of updating default permissions to match the recommended advice from CIS.

Resolution

  • The issue has been resolved with the release of RHOCP 4.14
  • The fixes have been backported to RHOCP 4.13.15 and RHOCP 4.12.37
  • We do not recommend changing the permissions of the affected files because the files are owned by OpenShift Operators. Changes to these files will be overwritten, and can put your cluster into a degraded state.

Note:

  1. There is still one outstanding issue on this subject and if your environment is impacted, until the issue is resolved, using a TailoredProfile that excludes the failing rule is recommended.
    This content is not included.OCPBUGS-22995 - Rule ocp4-cis-file-permissions-cni-conf returned a false negative result
  2. Older revisions have 0644 as expected (before upgrading to OCP that changes the permission to 0600). And the CO scans will fail on them. The older revisions are no longer in use and should be pruned eventually by the revision-pruner pods for each master node and until then can be ignored. See Diagnostic Steps below and jira issue This content is not included.OCPBUGS-24454.

Root Cause

The Compliance Operator recently implemented support for evaluating CIS Red Hat OpenShift version 1.4.0, which is the latest published version of the CIS OpenShift benchmark. These updates included more strict permissions for various configuration files and manifests. Specifically, the file permissions were tightened from 644 to 600.

Older OpenShift versions used permission mode 644 for these files. With Compliance Operator 1.2.0 now supporting the latest version of the CIS Red Hat OpenShift benchmark, these files are now flagged as a finding.

Diagnostic Steps

1. Check if the following returns 644 for every pod

for i in $(oc get pods -n openshift-etcd -l app=etcd -o name | grep etcd )
do
echo "check pod $i"
oc rsh -n openshift-etcd $i \
stat -c %a /etc/kubernetes/manifests/etcd-pod.yaml
done
  • You can check the same also for the following contexts:
    • controller-manager-kubeconfig
    • controller-manager-kubeconfig
    • kube-apiserver
    • scheduler-kubeconfig

2. If you have upgraded your OpenShift environment, but the Compliance Operator scan still fails on the files permissions issue, it maybe due to older revisions that were not pruned yet by the revision-pruner pods on the master nodes.
For instance, you can see multiple revisions, the newest will have fixed 600 permissions, but the older will still have 644:

-rw-------. 1 root root 675 Dec 1 11:17 kube-controller-manager-pod-28/configmaps/controller-manager-kubeconfig/kubeconfig

vs

-rw-r--r--. 1 root root 675 Oct 10 09:46 kube-controller-manager-pod-26/configmaps/controller-manager-kubeconfig/kubeconfig
  • How to know which revisions matter? Check the logs and look for output similar to this:
I1211 01:55:04.737738       1 cmd.go:42] (*prune.PruneOptions)(0xc000229e00)({
 MaxEligibleRevision: (int) 7,
 ProtectedRevisions: ([]int) (len=6 cap=6) {
  (int) 2,
  (int) 3,
  (int) 4,
  (int) 5,
  (int) 6,
  (int) 7
 },
 ResourceDir: (string) (len=36) "/etc/kubernetes/static-pod-resources",
 CertDir: (string) (len=29) "kube-controller-manager-certs",
 StaticPodName: (string) (len=27) "kube-controller-manager-pod"

Any revision not in ProtectedRevisions list is expected to be removed.

SBR
Product(s)
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.