[WIP] 🌱 Change crt permissions in KCP to 0600

[sbueringer]

Signed-off-by: Stefan Büringer [email protected]

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign enxebre for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sbueringer]

Context:

• the latest CIS 1.10 profile suggests to use 0600 for these certificates: https://github.com/aquasecurity/kube-bench/blob/main/cfg/cis-1.10/master.yaml#L292-L306
• kubeadm uses 0644 today: https://github.com/kubernetes/kubernetes/blob/88dfa51b6003c90e8f0a0508939a1d79950a40df/staging/src/k8s.io/client-go/util/cert/io.go#L68-L67

I wonder if 0600 leads to problems with: kubernetes/kubeadm#2473 (comment)

@neolit123 What do you think?

Is there a way that I can verify this works with userns? Do I only have to use Kubernetes >= 1.33?

[neolit123]

if i understand how userns works, this might be fine. you can test with any new release that has userns support. i don't think we ever tested kubeadm with userns yet, fwiw.

they are still fixing bugs and updating docs for the feature and we need it to be ga.

[neolit123]

also, cis has been annoying since it doesn't consider permissions of the parent dir. distributions on top of kubeadm and capi ca choose to generate their own certs, but that's extra work.

[sbueringer]

I was wondering if "userns is being enabled by default in 1.33" (kubernetes/kubeadm#2473 (comment)) means that it's also used for static Pods per default

[neolit123]

it's enabled in core k8s, but pod users must opt-in; kubeadm hasn't yet.

[sbueringer]

Got it, thx!

[sbueringer]

/test pull-cluster-api-e2e-main

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[sbueringer]

/close

Might revive this later, not sure yet

[k8s-ci-robot]

@sbueringer: Closed this PR.

Details

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.