Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: update permission bits for kubelet-exec-start-conf #4199

Merged
merged 1 commit into from
Oct 9, 2024
Merged

fix: update permission bits for kubelet-exec-start-conf #4199

merged 1 commit into from
Oct 9, 2024

Conversation

Sparksssj
Copy link
Contributor

@Sparksssj Sparksssj commented Sep 16, 2024
edited
Loading

Issue number:
Closes #4173

Description of changes:
Changed the mode code for configuration-files.kubelet-exec-start-conf, such that it will not generate error message.
Screenshot 2024-09-16 at 2 52 51 PM

Screenshot 2024-09-16 at 4 55 59 PM

Testing done:
Required migration test was done.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@Sparksssj Sparksssj changed the title fix: removed unexpected error message fix: update permission bits for kubelet-exec-start-conf Sep 16, 2024
@Sparksssj Sparksssj marked this pull request as draft September 16, 2024 20:06
@Sparksssj Sparksssj marked this pull request as ready for review September 19, 2024 23:10
@bcressey
Copy link
Contributor

Can you verify that the file permissions are not flagged by the CIS Kubernetes report (at either level)?

@Sparksssj
Copy link
Contributor Author

Can you verify that the file permissions are not flagged by the CIS Kubernetes report (at either level)?

Sorry but I'm not quite understand what this means.

@bcressey
Copy link
Contributor

Sorry but I'm not quite understand what this means.

On an image with your changes applied, run this command and check the output:

$ apiclient report cis-k8s -l 2
Benchmark name:  CIS Kubernetes Benchmark (Worker Node)
Version:         v1.8.0
Reference:       https://www.cisecurity.org/benchmark/kubernetes
Benchmark level: 1
Start time:      2024-09-25T21:04:00.514761119Z

[PASS] 4.1.1     Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automatic)
...
Compliance check result: PASS

It needs to continue to say "PASS" for both the 4.1.1 check and the final result.

@bcressey
Copy link
Contributor

It would also be good to check the journal before and after, to confirm that the warnings are no longer logged.

@Sparksssj
Copy link
Contributor Author

Screenshot 2024-09-26 at 10 15 42 AM
I've confirmed the report shows PASS here.

@bcressey
Copy link
Contributor

@Sparksssj can you also verify that the warnings from the related issue are no longer present?

@Sparksssj
Copy link
Contributor Author

@Sparksssj can you also verify that the warnings from the related issue are no longer present?

Yes I confirm that this warning exist in previous version, and disappeared after the change.

piyush-jena
piyush-jena reviewed Sep 27, 2024
View reviewed changes
sources/Cargo.toml Outdated
@@ -55,6 +55,7 @@ members = [
"settings-migrations/v1.23.0/nvidia-container-runtime-settings",
"settings-migrations/v1.23.0/kubelet-device-plugins-metadata",
"settings-migrations/v1.23.0/kubelet-device-plugins-settings",
"settings-migrations/v1.23.0/kubernetes-service-config",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since, we released v1.23.0 yesterday, you will have to aim for 1.24.0 or 1.24.1. You will have to rebase and add the migration files to the appropriate directory.

@Sparksssj Sparksssj closed this Oct 8, 2024
@Sparksssj Sparksssj reopened this Oct 8, 2024
@Sparksssj Sparksssj force-pushed the develop branch 2 times, most recently from 7e4a696 to 0f03b1c Compare October 8, 2024 20:23
@Sparksssj Sparksssj self-assigned this Oct 8, 2024
yeazelm
yeazelm reviewed Oct 8, 2024
View reviewed changes
Release.toml Show resolved Hide resolved
@Sparksssj Sparksssj force-pushed the develop branch 2 times, most recently from ad21f25 to 645f7f4 Compare October 8, 2024 21:36
ginglis13
ginglis13 approved these changes Oct 8, 2024
View reviewed changes
Copy link
Contributor

@ginglis13 ginglis13 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@ginglis13 ginglis13 mentioned this pull request Oct 8, 2024
Closed
6 tasks
@Sparksssj Sparksssj merged commit 280d5bd into bottlerocket-os:develop Oct 9, 2024
2 checks passed
@KCSesh KCSesh mentioned this pull request Oct 23, 2024
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@piyush-jena piyush-jena piyush-jena left review comments

@yeazelm yeazelm yeazelm approved these changes

@ginglis13 ginglis13 ginglis13 approved these changes

Assignees

@Sparksssj Sparksssj

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Getting repeated warnings about world-readable systemd unit file
5 participants
@Sparksssj @bcressey @piyush-jena @ginglis13 @yeazelm