Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Release-1.25] - [RKE2] CIS Benchmark 1.24 requires file permissions to be 600 instead of 644 #4836

Closed
dereknola opened this issue Oct 4, 2023 · 1 comment
Closed

[Release-1.25] - [RKE2] CIS Benchmark 1.24 requires file permissions to be 600 instead of 644 #4836

dereknola opened this issue Oct 4, 2023 · 1 comment
Assignees
@dereknola @aganesh-suse
Milestone
v1.25.15+rke2r1

Comments

@dereknola
Copy link
Member

Backport fix for [RKE2] CIS Benchmark 1.24 requires file permissions to be 600 instead of 644
@dereknola dereknola self-assigned this Oct 4, 2023
@dereknola dereknola mentioned this issue Oct 4, 2023
Merged
@dereknola dereknola added this to the v1.25.15+rke2r1 milestone Oct 4, 2023
@aganesh-suse aganesh-suse self-assigned this Oct 4, 2023
@aganesh-suse
Copy link

aganesh-suse commented Oct 5, 2023
edited
Loading

Validated on release-1.25 branch with commit 7043294

Environment Details

Infrastructure

  • Cloud
  • Hosted

Node(s) CPU architecture, OS, and Version:

cat /etc/os-release | grep PRETTY
PRETTY_NAME="Ubuntu 22.04.2 LTS"

Cluster Configuration:

1 server, 1 agent

Config.yaml:

token: secret
write-kubeconfig-mode: "0644"
node-external-ip: 1.1.1.1
profile: "cis"

Testing Steps

  1. Copy config.yaml
$ sudo mkdir -p /etc/rancher/rke2 && sudo cp config.yaml /etc/rancher/rke2
  1. Install RKE2
curl -sfL https://get.rke2.io | sudo INSTALL_RKE2_COMMIT='704329499688584c06ff0a094f0b62e573aefe7f' INSTALL_RKE2_TYPE='server' INSTALL_RKE2_METHOD=tar sh -
  1. Follow https://docs.rke2.io/security/hardening_guide
$ sudo useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U
$ sudo cp -f /usr/local/share/rke2/rke2-cis-sysctl.conf /etc/sysctl.d/60-rke2-cis.conf 
$ cat /etc/sysctl.d/60-rke2-cis.conf 
vm.panic_on_oom=0
vm.overcommit_memory=1
kernel.panic=10
kernel.panic_on_oops=1
$ sudo systemctl restart systemd-sysctl 
$ sudo systemctl enable --now rke2-server
or 
$ sudo systemctl enable --now rke2-agent
  1. Verify files in following directories have a permission of 600.
/var/lib/rancher/rke2/agent/pod-manifests/
/var/lib/rancher/rke2/server/cred
/var/lib/rancher/rke2/agent/

Validation Results:

  • rke2 version used for validation:
rke2 -v
rke2 version v1.25.14-dev+70432949 (704329499688584c06ff0a094f0b62e573aefe7f)
go version go1.20.8 X:boringcrypto

Verify files in following directories have a permission of 600:

$ sudo ls -lrt /var/lib/rancher/rke2/agent/pod-manifests/ 
total 36
-rw------- 1 root root  3338 Oct  5 18:00 etcd.yaml
-rw------- 1 root root 10197 Oct  5 18:00 kube-apiserver.yaml
-rw------- 1 root root  2730 Oct  5 18:01 kube-scheduler.yaml
-rw------- 1 root root  5874 Oct  5 18:01 kube-controller-manager.yaml
-rw------- 1 root root  3765 Oct  5 18:01 cloud-controller-manager.yaml
-rw------- 1 root root  2443 Oct  5 18:01 kube-proxy.yaml

$ sudo ls -lrt /var/lib/rancher/rke2/server/cred 
total 40
-rw------- 1 root root 485 Oct  5 18:00 supervisor.kubeconfig
-rw------- 1 root root 475 Oct  5 18:00 admin.kubeconfig
-rw------- 1 root root 483 Oct  5 18:00 scheduler.kubeconfig
-rw------- 1 root root 485 Oct  5 18:00 controller.kubeconfig
-rw------- 1 root root 493 Oct  5 18:00 api-server.kubeconfig
-rw------- 1 root root 507 Oct  5 18:00 cloud-controller.kubeconfig
-rw------- 1 root root  61 Oct  5 18:00 passwd
-rw------- 1 root root  97 Oct  5 18:00 ipsec.psk
-rw------- 1 root root  70 Oct  5 18:00 encryption-state.json
-rw------- 1 root root 245 Oct  5 18:00 encryption-config.json

$ sudo ls -lrt /var/lib/rancher/rke2/agent/ 
total 72
drwxr-xr-x  2 root root 4096 Oct  5 18:00 images
-rw-------  1 root root  570 Oct  5 18:00 client-ca.crt
-rw-------  1 root root  570 Oct  5 18:00 server-ca.crt
-rw-------  1 root root  227 Oct  5 18:00 serving-kubelet.key
-rw-------  1 root root 1226 Oct  5 18:00 serving-kubelet.crt
-rw-------  1 root root  464 Oct  5 18:00 kubelet.kubeconfig
-rw-------  1 root root  227 Oct  5 18:00 client-kubelet.key
-rw-------  1 root root 1193 Oct  5 18:00 client-kubelet.crt
-rw-------  1 root root  470 Oct  5 18:00 kubeproxy.kubeconfig
-rw-------  1 root root  227 Oct  5 18:00 client-kube-proxy.key
-rw-------  1 root root 1149 Oct  5 18:00 client-kube-proxy.crt
-rw-------  1 root root  480 Oct  5 18:00 rke2controller.kubeconfig
-rw-------  1 root root  227 Oct  5 18:00 client-rke2-controller.key
-rw-------  1 root root 1157 Oct  5 18:00 client-rke2-controller.crt
drwx------  3 root root 4096 Oct  5 18:00 etc
drwxr-xr-x  2 root root 4096 Oct  5 18:00 logs
drwx------ 15 root root 4096 Oct  5 18:00 containerd
drwx------  2 root root 4096 Oct  5 18:01 pod-manifests

Cluster Status:

$ kubectl get nodes
NAME               STATUS   ROLES                       AGE     VERSION
ip-1                Ready    control-plane,etcd,master   10m     v1.25.14+rke2r1
ip-2                Ready    <none>                      9m13s   v1.25.14+rke2r1

$ kubectl get pods -A
NAMESPACE     NAME                                                    READY   STATUS      RESTARTS   AGE
kube-system   cloud-controller-manager-ip-1                           1/1     Running     0          10m
kube-system   etcd-ip-1                                               1/1     Running     0          10m
kube-system   helm-install-rke2-canal-h26rb                           0/1     Completed   0          10m
kube-system   helm-install-rke2-coredns-gbfmf                         0/1     Completed   0          10m
kube-system   helm-install-rke2-ingress-nginx-pd5k4                   0/1     Completed   0          10m
kube-system   helm-install-rke2-metrics-server-twkdh                  0/1     Completed   0          10m
kube-system   helm-install-rke2-snapshot-controller-crd-dq8mr         0/1     Completed   0          10m
kube-system   helm-install-rke2-snapshot-controller-g5cfc             0/1     Completed   1          10m
kube-system   helm-install-rke2-snapshot-validation-webhook-62bt2     0/1     Completed   0          10m
kube-system   kube-apiserver-ip-1                                     1/1     Running     0          10m
kube-system   kube-controller-manager-ip-1                            1/1     Running     0          10m
kube-system   kube-proxy-ip-1                                         1/1     Running     0          10m
kube-system   kube-proxy-ip-2                                         1/1     Running     0          9m16s
kube-system   kube-scheduler-ip-1                                     1/1     Running     0          10m
kube-system   rke2-canal-5ld5h                                        2/2     Running     0          10m
kube-system   rke2-canal-npcqh                                        2/2     Running     0          9m17s
kube-system   rke2-coredns-rke2-coredns-546587f99c-pzrbs              1/1     Running     0          9m8s
kube-system   rke2-coredns-rke2-coredns-546587f99c-xdhrh              1/1     Running     0          10m
kube-system   rke2-coredns-rke2-coredns-autoscaler-797c865dbd-jcmqm   1/1     Running     0          10m
kube-system   rke2-ingress-nginx-controller-msm26                     1/1     Running     0          8m45s
kube-system   rke2-ingress-nginx-controller-w4jvs                     1/1     Running     0          8m59s
kube-system   rke2-metrics-server-78b84fff48-pc9sv                    1/1     Running     0          9m20s
kube-system   rke2-snapshot-controller-849d69c748-94lr4               1/1     Running     0          9m5s
kube-system   rke2-snapshot-validation-webhook-7f955488ff-tbrvj       1/1     Running     0          9m17s

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dereknola dereknola

@aganesh-suse aganesh-suse

Labels
None yet
Projects
None yet
Milestone
v1.25.15+rke2r1
Development

No branches or pull requests
2 participants
@dereknola @aganesh-suse