Fix ownership related to Calico

[oomichi]

What type of PR is this?

/kind bug

What this PR does / why we need it:

kube-bench scan outputs warning related to Calico like:

• text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)"
• text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"

Which issue(s) this PR fixes:

Fixes #8070

Does this PR introduce a user-facing change?:

[Calico] Fix Kube-bench security warnings on calico controller (file ownership/permissions)

[oomichi]

/cc @cristicalin

[k8s-ci-robot]

@oomichi: GitHub didn't allow me to request PR reviews from the following users: cristicalin.

Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

/cc @cristicalin

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[cristicalin]

I'm not a sig member yet so I can't do more than 👍 but it looks good to me.

[champtar]

I'm not a sig member yet so I can't do more than 👍 but it looks good to me.

You just need 2 +1 to become a member and given your contributions you can count on mine no problem ;)

[oomichi]

I'm not a sig member yet so I can't do more than 👍 but it looks good to me.

I am happy to support you for the membership if necessary ! :-)

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: floryut, oomichi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [floryut]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[oreillymj]

Just wondering why the kube user was created? And also, do the cni configs require 755 permissions.

• name: Prepare generic
  hosts: all
  become: true
  roles:
  • role: kubespray-defaults
  • role: bootstrap-os
  • role: adduser
    user: "{{ addusers.kube }}"
    tasks:
  • include_tasks: "../../../../download/tasks/download_file.yml"
    vars:
    download: "{{ download_defaults | combine(downloads.cni) }}"

[cristicalin]

Just wondering why the kube user was created? And also, do the cni configs require 755 permissions.

The kube user is actually quite a pain and I think a legacy we carry around. The main issue is we never allocated a stable UID for it but it was required since some components refuse to access files owned by root and generally it was accepted as a best practice to not have root own or run certain stuff.

Regarding 0755 access patterns, it is there to mitigate situations where we have UID mismatch with things that are running in containers but with a different UID than kube user UID.

[jayonlau]

/lgtm

[tboevil]

maybe missing a place

roles/kubernetes/preinstall/tasks/0050-create_directories.yml:74