feature request: CNI file permissions more restrictive (600)

k8snetworkplumbingwg / multus-cni

A CNI meta-plugin for multi-homed pods in Kubernetes

Apache License 2.0

2.35k stars 585 forks source link

feature request: CNI file permissions more restrictive (600) #1301

Closed missa-wndrvr closed 1 week ago

missa-wndrvr commented 3 months ago

What would you like to be added: Ensuring the file permission of the multus-conf-file is set to 600 when copied to host.

Why is this needed: CNI-related CIS Benchmarks include:

1.1.9   Ensure that the Container Network Interface file permissions are set to 600 or more restrictive
1.1.10  Ensure that the Container Network Interface file ownership is set to root:root

Currently:

root@user: stat -c '%a %n' /etc/cni/net.d/05-multus.conf
644 /etc/cni/net.d/05-multus.conf

dougbtv commented 3 months ago

Any chance you'd mind submitting a PR to ensure this mode? Sounds like a fair change to me

github-actions[bot] commented 2 weeks ago

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 7 days.