Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Release-1.27] - [RKE2] CIS Benchmark 1.24 requires file permissions to be 600 instead of 644 #4834

Closed
dereknola opened this issue Oct 4, 2023 · 1 comment
Closed

[Release-1.27] - [RKE2] CIS Benchmark 1.24 requires file permissions to be 600 instead of 644 #4834

dereknola opened this issue Oct 4, 2023 · 1 comment
Assignees
@dereknola @aganesh-suse
Milestone
v1.27.7+rke2r1

Comments

@dereknola
Copy link
Member

Backport fix for [RKE2] CIS Benchmark 1.24 requires file permissions to be 600 instead of 644
@dereknola dereknola self-assigned this Oct 4, 2023
@dereknola dereknola mentioned this issue Oct 4, 2023
Merged
@dereknola dereknola added this to the v1.27.7+rke2r1 milestone Oct 4, 2023
@aganesh-suse aganesh-suse self-assigned this Oct 4, 2023
@aganesh-suse
Copy link

Validated on release-1.27 with COMMIT ID: 1ac6d7c

Environment Details

Infrastructure

  • Cloud
  • Hosted

Node(s) CPU architecture, OS, and Version:

cat /etc/os-release | grep PRETTY
PRETTY_NAME="Ubuntu 22.04.2 LTS"

Cluster Configuration:

1 server, 1 agent

Config.yaml:

token: secret
write-kubeconfig-mode: "0644"
node-external-ip: 1.1.1.1
profile: "cis"

Testing Steps

  1. Copy config.yaml
$ sudo mkdir -p /etc/rancher/rke2 && sudo cp config.yaml /etc/rancher/rke2
  1. Install RKE2
curl -sfL https://get.rke2.io | sudo INSTALL_RKE2_COMMIT='1ac6d7c5f594910997245aa7dde5e8691ad165b2' INSTALL_RKE2_TYPE='server' INSTALL_RKE2_METHOD=tar sh -
  1. Follow https://docs.rke2.io/security/hardening_guide
$ sudo useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U
$ sudo cp -f /usr/local/share/rke2/rke2-cis-sysctl.conf /etc/sysctl.d/60-rke2-cis.conf 
$ cat /etc/sysctl.d/60-rke2-cis.conf 
vm.panic_on_oom=0
vm.overcommit_memory=1
kernel.panic=10
kernel.panic_on_oops=1
$ sudo systemctl restart systemd-sysctl 
$ sudo systemctl enable --now rke2-server
or 
$ sudo systemctl enable --now rke2-agent
  1. Verify files in following directories have a permission of 600.
/var/lib/rancher/rke2/agent/pod-manifests/
/var/lib/rancher/rke2/server/cred
/var/lib/rancher/rke2/agent/

Validation Results:

  • rke2 version used for validation:
$ rke2 -v 
rke2 version v1.27.6+dev.1ac6d7c5 (1ac6d7c5f594910997245aa7dde5e8691ad165b2)
go version go1.20.8 X:boringcrypto

Verify files have 600 permission in the directories:

$ sudo ls -lrt /var/lib/rancher/rke2/agent/pod-manifests/ 
total 36
-rw------- 1 root root  3338 Oct  5 18:51 etcd.yaml
-rw------- 1 root root 10196 Oct  5 18:52 kube-apiserver.yaml
-rw------- 1 root root  2729 Oct  5 18:52 kube-scheduler.yaml
-rw------- 1 root root  5873 Oct  5 18:52 kube-controller-manager.yaml
-rw------- 1 root root  3765 Oct  5 18:52 cloud-controller-manager.yaml
-rw------- 1 root root  2442 Oct  5 18:53 kube-proxy.yaml

$ sudo ls -lrt /var/lib/rancher/rke2/server/cred 
total 40
-rw------- 1 root root 485 Oct  5 18:51 supervisor.kubeconfig
-rw------- 1 root root 483 Oct  5 18:51 scheduler.kubeconfig
-rw------- 1 root root 485 Oct  5 18:51 controller.kubeconfig
-rw------- 1 root root 475 Oct  5 18:51 admin.kubeconfig
-rw------- 1 root root 493 Oct  5 18:51 api-server.kubeconfig
-rw------- 1 root root 507 Oct  5 18:51 cloud-controller.kubeconfig
-rw------- 1 root root  61 Oct  5 18:51 passwd
-rw------- 1 root root  97 Oct  5 18:51 ipsec.psk
-rw------- 1 root root  70 Oct  5 18:51 encryption-state.json
-rw------- 1 root root 245 Oct  5 18:51 encryption-config.json

$ sudo ls -lrt /var/lib/rancher/rke2/agent/ 
total 72
drwxr-xr-x  2 root root 4096 Oct  5 18:51 images
-rw-------  1 root root  570 Oct  5 18:51 client-ca.crt
-rw-------  1 root root  570 Oct  5 18:51 server-ca.crt
-rw-------  1 root root  227 Oct  5 18:51 serving-kubelet.key
-rw-------  1 root root 1230 Oct  5 18:51 serving-kubelet.crt
-rw-------  1 root root  464 Oct  5 18:51 kubelet.kubeconfig
-rw-------  1 root root  227 Oct  5 18:51 client-kubelet.key
-rw-------  1 root root 1197 Oct  5 18:51 client-kubelet.crt
-rw-------  1 root root  470 Oct  5 18:51 kubeproxy.kubeconfig
-rw-------  1 root root  227 Oct  5 18:51 client-kube-proxy.key
-rw-------  1 root root 1149 Oct  5 18:51 client-kube-proxy.crt
-rw-------  1 root root  480 Oct  5 18:51 rke2controller.kubeconfig
-rw-------  1 root root  227 Oct  5 18:51 client-rke2-controller.key
-rw-------  1 root root 1157 Oct  5 18:51 client-rke2-controller.crt
drwx------  3 root root 4096 Oct  5 18:51 etc
drwxr-xr-x  2 root root 4096 Oct  5 18:52 logs
drwx------ 15 root root 4096 Oct  5 18:52 containerd
drwx------  2 root root 4096 Oct  5 18:53 pod-manifests

Cluster Status:

$ kubectl get nodes
NAME               STATUS   ROLES                       AGE    VERSION
ip-1               Ready    control-plane,etcd,master   151m   v1.27.6+rke2r1
ip-2               Ready    <none>                      145m   v1.27.6+rke2r1

$ kubectl get pods -A
NAMESPACE     NAME                                                   READY   STATUS      RESTARTS   AGE
kube-system   cloud-controller-manager-ip-1                           1/1     Running     0          6m26s
kube-system   etcd-ip-1                                               1/1     Running     0          6m4s
kube-system   helm-install-rke2-canal-ts8f5                           0/1     Completed   0          6m7s
kube-system   helm-install-rke2-coredns-x75gz                         0/1     Completed   0          6m7s
kube-system   helm-install-rke2-ingress-nginx-bgllc                   0/1     Completed   0          6m6s
kube-system   helm-install-rke2-metrics-server-cc5gh                  0/1     Completed   0          6m6s
kube-system   helm-install-rke2-snapshot-controller-crd-kg4qv         0/1     Completed   0          6m5s
kube-system   helm-install-rke2-snapshot-controller-s242m             0/1     Completed   0          6m4s
kube-system   helm-install-rke2-snapshot-validation-webhook-bp9b9     0/1     Completed   0          6m4s
kube-system   kube-apiserver-ip-1                                     1/1     Running     0          6m22s
kube-system   kube-controller-manager-ip-1                            1/1     Running     0          6m25s
kube-system   kube-proxy-ip-1                                         1/1     Running     0          6m6s
kube-system   kube-proxy-ip-2                                         1/1     Running     0          4m50s
kube-system   kube-scheduler-ip-1                                     1/1     Running     0          6m25s
kube-system   rke2-canal-8gd97                                        2/2     Running     0          4m51s
kube-system   rke2-canal-w7wfb                                        2/2     Running     0          5m55s
kube-system   rke2-coredns-rke2-coredns-5f5d6b54c7-pp2xv              1/1     Running     0          5m55s
kube-system   rke2-coredns-rke2-coredns-5f5d6b54c7-zqtrz              1/1     Running     0          4m48s
kube-system   rke2-coredns-rke2-coredns-autoscaler-6bf8f59fd5-2s8gn   1/1     Running     0          5m55s
kube-system   rke2-ingress-nginx-controller-6njkw                     1/1     Running     0          4m27s
kube-system   rke2-ingress-nginx-controller-dghwk                     1/1     Running     0          4m54s
kube-system   rke2-metrics-server-6d79d977db-7bqdz                    1/1     Running     0          4m59s
kube-system   rke2-snapshot-controller-7d6476d7cb-wkhmq               1/1     Running     0          5m8s
kube-system   rke2-snapshot-validation-webhook-5649fbd66c-275mq       1/1     Running     0          5m8s

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dereknola dereknola

@aganesh-suse aganesh-suse

Labels
None yet
Projects
None yet
Milestone
v1.27.7+rke2r1
Development

No branches or pull requests
2 participants
@dereknola @aganesh-suse