Use 0700 perms for etcd data dir #1441
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: shaneboulden The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
needs-ok-to-test
|
Hi @shaneboulden. Thanks for your PR. I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
| @@ -306,13 +306,13 @@ func (r *renderOpts) Run() error { | |||
| certDir := filepath.Join(memberDir, "etcd-all-certs") | |||
|
|
|||
| // Creating the cert dir recursively will create the base path too | |||
| err = os.MkdirAll(certDir, 0755) | |||
| err = os.MkdirAll(certDir, 0700) | |||
There was a problem hiding this comment.
are you sure that this changes the dataDir?
There was a problem hiding this comment.
This is the only location I could find in the codebase where the /var/lib/etcd dir is created, via the memberDir.
There was a problem hiding this comment.
I'm also curious about the permission of "/var/lib/etcd" which set to 0755
but I'm afraid u got the wrong place
maybe u could change the dir permission in the following place just like :
There was a problem hiding this comment.
I think the reason is that the entire folder structure is on 0755:
sh-5.1# stat --format '%a' /var/
755
sh-5.1# stat --format '%a' /var/lib/etcd/
755
same with other openshift folders:
sh-5.1# stat --format '%a' /var/lib/ovn-ic/
755
sh-5.1# stat --format '%a' /var/lib/kubelet/
755
so I would rather advocate to change the CIS rule.
There was a problem hiding this comment.
@lance5890 you're right, I'm mistaken. I will take a look at an initContainers approach. Should I turn this into a draft / WIP?
@tjungblu
I think you're right.
I couldn't find the /var/lib/etcd dir explicitly created by the operator. But, doing some digging through older issues, it sounds like the kubelet will create the dir with 0755 if it doesn't exist (not sure how much has changed since 2018...)
kubernetes/kubeadm#1308 (comment)
so I would rather advocate to change the CIS rule.
Looks like 0700 is also part of the STIG: https://github.com/ComplianceAsCode/content/blob/49189d32c6039a5e4ca68f6e4a04de1f719e47b2/products/ocp4/profiles/stig-node-v1r1.profile#L62
There was a problem hiding this comment.
@shaneboulden are you sure that the data dir is part of the STIG? https://stigviewer.com/stigs/kubernetes
The data files I agree and understand, but the datadir itself seems pretty strange to me.
There was a problem hiding this comment.
@tjungblu it is certainly in the OpenShift v1r1 STIG
https://complianceascode.github.io/content-pages/guides/ssg-ocp4-guide-stig-node-v1r1.html
There was a problem hiding this comment.
I assume that the STIG is generated from the git repo ;)
Oz is not around anymore for a few years, so we won't be able to ask him. I remember my old team was writing a few of those rules too.
Tracking this back to 2020: ComplianceAsCode/content#6341 and ComplianceAsCode/content#6341 (comment)
not sure whether this ever worked, it also seems an additional check that is not listed in the initial ticket.
Currently the cluster etcd operator creates
0755permissions for/var/lib/etcdby default:Upstream etcd uses 0700: https://github.com/etcd-io/etcd/blob/866bc0717c0b56579514c7363f3f47f6cd4109c6/client/pkg/fileutil/fileutil.go#L47
And the OpenShift CIS benchmark requires that the
/var/lib/etcddata dir is configured with0700file permissions: https://github.com/ComplianceAsCode/content/blob/24dba6b94757881c8d8e0dd21390fa733a7c3b70/applications/openshift/master/file_permissions_var_lib_etcd/rule.yml#L28This change aligns the cluster etcd operator with upstream and the CIS benchmark for OpenShift.