Write pod-manifests as 0600 in cis mode (#4838)

* Write pod-manifests as 0600 in cis mode

Signed-off-by: Derek Nola <[email protected]>

pkg/podexecutor/staticpod.go

@@ -217,6 +217,7 @@ func (s *StaticPodConfig) KubeProxy(_ context.Context, args []string) error {
 		Command:       "kube-proxy",
 		Args:          args,
 		Image:         image,
+		CISMode:       s.CISMode,
 		HealthPort:    10256,
 		HealthProto:   "HTTP",
 		CPURequest:    s.ControlPlaneResources.KubeProxyCPURequest,
@@ -318,6 +319,7 @@ func (s *StaticPodConfig) APIServer(_ context.Context, etcdReady <-chan struct{}
 			Args:          args,
 			Image:         image,
 			Dirs:          dirs,
+			CISMode:       s.CISMode,
 			CPURequest:    s.ControlPlaneResources.KubeAPIServerCPURequest,
 			CPULimit:      s.ControlPlaneResources.KubeAPIServerCPULimit,
 			MemoryRequest: s.ControlPlaneResources.KubeAPIServerMemoryRequest,
@@ -370,6 +372,7 @@ func (s *StaticPodConfig) Scheduler(_ context.Context, apiReady <-chan struct{},
 			Command:       "kube-scheduler",
 			Args:          args,
 			Image:         image,
+			CISMode:       s.CISMode,
 			HealthPort:    10259,
 			HealthProto:   "HTTPS",
 			CPURequest:    s.ControlPlaneResources.KubeSchedulerCPURequest,
@@ -439,6 +442,7 @@ func (s *StaticPodConfig) ControllerManager(_ context.Context, apiReady <-chan s
 			Args:          args,
 			Image:         image,
 			Dirs:          onlyExisting(ssldirs),
+			CISMode:       s.CISMode,
 			HealthPort:    10257,
 			HealthProto:   "HTTPS",
 			CPURequest:    s.ControlPlaneResources.KubeControllerManagerCPURequest,
@@ -469,6 +473,7 @@ func (s *StaticPodConfig) CloudControllerManager(_ context.Context, ccmRBACReady
 			Args:          args,
 			Image:         image,
 			Dirs:          onlyExisting(ssldirs),
+			CISMode:       s.CISMode,
 			HealthPort:    10258,
 			HealthProto:   "HTTPS",
 			CPURequest:    s.ControlPlaneResources.CloudControllerManagerCPURequest,
@@ -542,6 +547,7 @@ func (s *StaticPodConfig) ETCD(ctx context.Context, args executor.ETCDConfig, ex
 			args.PeerTrust.KeyFile,
 			args.PeerTrust.TrustedCAFile,
 		},
+		CISMode:       s.CISMode,
 		HealthPort:    2381,
 		HealthPath:    "/health?serializable=true",
 		HealthProto:   "HTTP",

pkg/staticpod/staticpod.go

@@ -7,6 +7,7 @@ import (
 	"encoding/hex"
 	"fmt"
 	"io"
+	"io/fs"
 	"io/ioutil"
 	"os"
 	"path/filepath"
@@ -50,6 +51,7 @@ type Args struct {
 	Image           name.Reference
 	Dirs            []string
 	Files           []string
+	CISMode         bool // CIS requires that the manifest be saved with 600 permissions
 	ExcludeFiles    []string
 	HealthExec      []string
 	HealthPort      int32
@@ -123,10 +125,13 @@ func Run(dir string, args Args) error {
 	if err != nil {
 		return err
 	}
-	return writeFile(manifestPath, b)
+	if args.CISMode {
+		return writeFile(manifestPath, b, 0600)
+	}
+	return writeFile(manifestPath, b, 0644)
 }
 
-func writeFile(dest string, content []byte) error {
+func writeFile(dest string, content []byte, perm fs.FileMode) error {
 	name := filepath.Base(dest)
 	dir := filepath.Dir(dest)
 	if err := os.MkdirAll(dir, 0700); err != nil {
@@ -149,7 +154,7 @@ func writeFile(dest string, content []byte) error {
 	defer os.RemoveAll(tmpdir)
 
 	tmp := filepath.Join(tmpdir, name)
-	if err := ioutil.WriteFile(tmp, content, 0644); err != nil {
+	if err := os.WriteFile(tmp, content, perm); err != nil {
 		return err
 	}
 	return os.Rename(tmp, dest)

tests/e2e/vagrantdefaults.rb

@@ -20,4 +20,9 @@ def getInstallType(vm, version, branch)
   scripts_location = Dir.exists?("./scripts") ? "./scripts" : "../scripts" 
   vm.provision "shell", path:  scripts_location + "/latest_commit.sh", args: [branch, "/tmp/rke2_commits"]
   return "INSTALL_RKE2_COMMIT=$(head\ -n\ 1\ /tmp/rke2_commits)"
+end
+
+def cisPrep(vm)
+  vm.provision "shell", inline: "useradd -r -c 'etcd user' -s /sbin/nologin -M etcd -U"
+  vm.provision "shell", inline: "printf 'vm.panic_on_oom=0\nvm.overcommit_memory=1\nkernel.panic=10\nkernel.panic_on_oops=1' > /etc/sysctl.d/60-rke2-cis.conf; systemctl restart systemd-sysctl"
 end