Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Write pod-manifests as 0600 in cis mode #4831

Merged
merged 2 commits into from
Oct 4, 2023

Conversation

dereknola
Copy link
Member

@dereknola dereknola commented Oct 3, 2023

Signed-off-by: Derek Nola [email protected]

Proposed Changes

CIS 1.7 requires the pod-manifest yaml files to be 0600.

  • If cis mode, we now write those files as 0600 instead of 0644.
  • E2E function for debug help

Types of Changes

File Permisions in CIS

Verification

  • Start rke2 with --profile=cis
root@server-0:/home/vagrant# stat -c "%a %n" /var/lib/rancher/rke2/agent/pod-manifests/*
600 /var/lib/rancher/rke2/agent/pod-manifests/cloud-controller-manager.yaml
600 /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml
600 /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml
600 /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml
600 /var/lib/rancher/rke2/agent/pod-manifests/kube-proxy.yaml
600 /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml

Testing

Linked Issues

#4473

User-Facing Change


Further Comments

@dereknola dereknola requested a review from a team as a code owner October 3, 2023 17:32
Signed-off-by: Derek Nola <[email protected]>
@dereknola dereknola merged commit a52b3ab into rancher:master Oct 4, 2023
1 check passed
dereknola added a commit to dereknola/rke2 that referenced this pull request Oct 4, 2023
* Write pod-manifests as 0600 in cis mode

Signed-off-by: Derek Nola <[email protected]>
dereknola added a commit to dereknola/rke2 that referenced this pull request Oct 4, 2023
* Write pod-manifests as 0600 in cis mode

Signed-off-by: Derek Nola <[email protected]>
dereknola added a commit to dereknola/rke2 that referenced this pull request Oct 4, 2023
* Write pod-manifests as 0600 in cis mode

Signed-off-by: Derek Nola <[email protected]>
@dereknola dereknola deleted the cis_1.7_agent branch October 16, 2023 21:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants