-
Notifications
You must be signed in to change notification settings - Fork 735
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CNI Plugin creates publicly readable log files, failing Inspector CIS rules. #1349
Comments
Hi @linxcat There is an option to disable this logging (
Are you looking for an option to make it readable only for say root user? Thanks! |
That would be the most appropriate thing, yes. That being said, I'd also like to know the location of that option (file, env, etc) for alteration if necessary. |
Currently I dont see an option which makes the file readable only for a user other than manually doing a chmod on the file. Let me dig deep and see if something can be done here. |
Thanks @nithu0115 for sharing this. Currently zap logger doesnt support setting file permission - uber-go/zap#860. One alternate way we think is to create the directory and file ahead of time. |
Buy this do you mean on image build (with packer for instance)? When is this folder created automatically, during EKS bootstrap? |
This can be done at bootstrap, but the recommended way is to add a pre-start script in the init container (https://github.com/aws/amazon-vpc-cni-k8s/blob/master/scripts/init.sh) to just touch this file and chmod to change the permissions. The folder is created by aws-node ds (https://github.com/aws/amazon-vpc-cni-k8s/blob/master/config/master/aws-k8s-cni.yaml#L186) |
Hi @linxcat Did you get a chance to try this recommendation of file touch with init container? Please let me know if you need any steps to add that. |
I've just been able to come back to this issue after other concerns took priority. If I understand this correctly, this means adding an init container to the aws-node daemonset and which would affect all nodes launched post-change. I can see the init container mentioned in this daemonset, but I don't have any knowledge on what adding a script to it (rather than an extra initContainer) entails. |
Hi, I did a quick POC and modified the existing init container and that seems to work -
Changes - In https://github.com/aws/amazon-vpc-cni-k8s/blob/master/scripts/init.sh, I added the below lines -
And in the DS had to mount the directory in the initContainers section -
Yes another initContainer needs to be added to achieve this functionality and not just the nodes launched post change, it will restart aws-node on the existing nodes in the cluster and set the file permission appropriately. |
This solution you're describing involves branching out and maintaining this new version of the script, correct? |
Also, your solutions have focussed on specifically the ipamd.log file within /var/log/aws-routed-eni/ as I mentioned in my original comment, but there are dozens of files in there besides the one you are mentioning, including the folder itself, which have this readability problem. There is one file for every single eni on the node. They're also all uniquely named (after the eni ID) so pre-touching them is impossible. |
Yes, this would need special management of the script and you can chmod on the main directory. CNI manages only |
We will keep track of the zaplogger infra bug and update the permissions once we have the support. Please feel free to reach out. |
I'm having the same issue with aws inspector. I did fix the permissions by creating the directory and the files prior to being used which seemed to have done the trick. The issue that I'm having is that I'm still not compliant. I have done everything I could think of and it still complains. I understand this is not an error related to this project, but it's the only mention I have found anywhere that is close to my issue. Are you passing 4.2.4 now @linxcat ? |
What happened:
In an effort to harden our EKS cluster to CIS standards, we have employed Inspector in discovering weaknesses in our custom AMI implementation. Rule 4.2.4 in particular is proving very troublesome, since the failure is part of the base AL2 EKS AMI itself. The CNI plugin creates files in /var/log/aws-routed-eni/ which all have globally readable permission, failing AWS's own tests. I hope there's a way to configure it not to do this, but I've been searching for nearly a whole day and have found nothing at all documenting it.
Environment:
The text was updated successfully, but these errors were encountered: