Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CNI configuration files have permissions 644 when 600 should be enough #6382

Open
OlofKalufs opened this issue May 30, 2024 · 2 comments
Open

CNI configuration files have permissions 644 when 600 should be enough #6382

OlofKalufs opened this issue May 30, 2024 · 2 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. priority/awaiting-more-evidence Lowest priority. Possibly useful, but not yet enough support to actually get it done.

Comments

@OlofKalufs
Copy link

Describe the bug

The CNI configuration file at /etc/cni/net.d/10-antrea.conflist gets the permissions 644 even though 600 should suffice. This is marked as a failure by the CIS Kubernetes Benchmark 1.9.0 #1.1.9

To Reproduce
Run

$ stat -c %a /etc/cni/net.d/10-antrea.conflist

Expected

$ stat -c %a /etc/cni/net.d/10-antrea.conflist
600

Actual behavior

$ stat -c %a /etc/cni/net.d/10-antrea.conflist
644

Versions:

  • Antrea version (Docker image tag):
    projects.registry.vmware.com/tkg/antrea-advanced-debian@sha256:cd855cf402d22aff0826062bbd91fb330a1c294d0f8ca87b9d765f7dc11934e2
    (from tanzu standard packages 1.13.1+vmware.3-tkg.1)
  • Kubernetes version: v1.28.4+vmware.1
  • Container runtime: containerd 1.6.24
  • Linux kernel version on the Kubernetes Nodes (uname -r): 5.15.0-89-generic

Additional context

It is set - it seems - in the file https://github.com/antrea-io/antrea/blob/main/build/images/scripts/install_cni on this line:

install -m 644 /etc/antrea/antrea-cni.conflist /host/etc/cni/net.d/10-antrea.conflist
@OlofKalufs OlofKalufs added the kind/bug Categorizes issue or PR as related to a bug. label May 30, 2024
@antoninbas
Copy link
Contributor

@OlofKalufs Thanks for submitting this. Do you have some supporting evidence that 600 should always be enough? I took a quick look at other CNIs, and they also seem to be using 644 when installing the files on the Node.
I assume that in your typical case, everyone runs as root (CNI, containerd, kubelet) and 600 works fine, but is this always the case?

@antoninbas antoninbas added priority/awaiting-more-evidence Lowest priority. Possibly useful, but not yet enough support to actually get it done. labels Jun 3, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 2, 2024

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment, or this will be closed in 90 days

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Sep 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. priority/awaiting-more-evidence Lowest priority. Possibly useful, but not yet enough support to actually get it done.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@antoninbas @OlofKalufs