calico icon indicating copy to clipboard operation
calico copied to clipboard

Published 20 hours ago verified publisher icon projectcalico

feature request: CNI file permissions more restrictive (600)

Open moonek opened this issue 1 year ago • 4 comments

Expected Behavior

CNI-related CIS Benchmarks include:

1.1.9	Ensure that the Container Network Interface file permissions are set to 600 or more restrictive
1.1.10	Ensure that the Container Network Interface file ownership is set to root:root

Current Behavior

/etc/cni/net.d/10-calico.conflist file permission is 644.

root@master:/root$ ll /etc/cni/net.d/
total 8
drwxr-xr-x. 2 root root   57 Nov 16 05:33 ./
drwxr-xr-x. 3 root root   19 Apr 18  2022 ../
-rw-r--r--  1 root root  657 Mar 13 03:46 10-calico.conflist
-rw-------  1 root root 2712 Mar 13 03:46 calico-kubeconfig

Possible Solution

Steps to Reproduce (for bugs)

  1. curl https://raw.githubusercontent.com/projectcalico/calico/v3.24.5/manifests/calico.yaml -O
  2. kubectl apply -f calico.yaml
  3. ll /etc/cni/net.d/

Context

Your Environment

  • Calico version: 3.24.5
  • Orchestrator version (e.g. kubernetes, mesos, rkt): kubernetes 1.24.8
  • Operating System and version: Centos 7.8
  • Link to your project (optional):

moonek avatar Mar 13 '23 04:03 moonek