New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Kubernetes PKI certificate file permissions #11069
Update Kubernetes PKI certificate file permissions #11069
Conversation
Hi @bmelbourne. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: bmelbourne The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/ok-to-test |
@yankay |
Hi, thanks for your contribution however I am not entirely sure this is the right fix. First of all the severity score "critical" of the benchmark you provided looks kind of dubious to me, restricting a certificate access looks weird I don't really see the security issue here. However there is indeed no point that other users access this, so I would suggest to try changing the permission of the cert dir in |
a5727c8
to
b1146be
Compare
@MrFreezeex I've also refactored some of the other tasks to improve consistency. |
@yankay
|
b1146be
to
7b6c6bf
Compare
Thanks! Could you only do keep the changes in the preinstall role and not in |
The code changes are still required in order to restrict certificate file permissions to the |
7b6c6bf
to
50546c5
Compare
50546c5
to
7489554
Compare
7489554
to
b5e1477
Compare
Signed-off-by: bmelbourne <[email protected]>
b5e1477
to
706d7f9
Compare
Two things:
|
What type of PR is this?
/kind bug
What this PR does / why we need it:
Align Kubernetes PKI certificate file permissions with key file permissions and reduce exposure of Kubernetes PKI certificates to non-root users, hence improving cluster security, specifically CIS
Kubernetes
benchmark compliance.Which issue(s) this PR fixes:
None.
Special notes for your reviewer:
None.
Does this PR introduce a user-facing change?: