CIS Benchmark Compliance - /var/lib/etcd permissions

[raesene]

this was mentioned in the k8s slack and I was asked to file an issue, so here it is :) As a little background I'm one of the authors of the CIS benchmark and I'm looking at changes we may need to make for the next version. Our reference installation mechanism is kubeadm.

At the moment a default kubeadm installation will get a failing mark on item 1.4.11 of the CIS Kubernetes Benchmark version 1.3 as the permissions on /var/lib/etcd are 755 rather than the recommended 700. Looking at a sample install it looked like that directory just had a single entry which was set to 700.

What I wanted to check is, is there a requirement for the permissions to be 755 on that directory for operation of the cluster or could they be changed to 700?

If there's an operational requirement for those permissions, then we could look at whether it would be possible to modify the standard, but if not, it would be good to see those changed on a default install to 700.

[yagonobre]

I guess that it's ok to use 700 in /var/lib/etcd. I'll validate this in a bit.
/area security
/kind feature
/assign

[yagonobre]

If the directory don't exist the kubelet will create it with 755 mask, so you can create the directory and set the permissions before run kubeadm init.

[neolit123]

If the directory don't exist the kubelet will create it with 755 mask, so you can create the directory and set the permissions before run kubeadm init.

if that's the case we should file an issue for the kubelet instead of kubeadm.
cc @detiber @chuckha for 👀

[yagonobre]

From https://kubernetes.io/docs/concepts/storage/volumes/#hostpath

DirectoryOrCreate | If nothing exists at the given path, an empty directory will be created there as needed with permission set to 0755, having the same group and ownership with Kubelet.

[neolit123]

@yagonobre thanks.

@raesene so, this seems as part of the k8s internals.
a kubernetes / kubernetes issue has to be created tagging /sig storage and /sig node.

[luxas]

Yes, let's fix this in v1.14. It might be relevant with a cherrypick, depending on the implementation.
We're gonna prioritize #683 in the coming release.

[luxas]

Easiest way forward here is to create the directory with os.Mkdir(All) with the right permissions if it doesn't exist, and then let k8s do its thing with hostpath type=Directory (requires the directory to already exist)