-
Notifications
You must be signed in to change notification settings - Fork 511
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
hardening: Enable setting templated file permissions #2921
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
stmcginnis
force-pushed
the
template-mode
branch
from
March 24, 2023 21:09
535c339
to
d082d2f
Compare
stmcginnis
force-pushed
the
template-mode
branch
from
April 4, 2023 18:05
d082d2f
to
88e235d
Compare
bcressey
reviewed
Apr 4, 2023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me overall, just one suggestion.
stmcginnis
force-pushed
the
template-mode
branch
from
April 5, 2023 15:35
88e235d
to
d40b1ae
Compare
stmcginnis
force-pushed
the
template-mode
branch
from
April 12, 2023 16:23
d40b1ae
to
039a19a
Compare
Rebased to address |
stmcginnis
force-pushed
the
template-mode
branch
from
April 22, 2023 06:31
039a19a
to
3c8bdf9
Compare
yeazelm
approved these changes
Apr 24, 2023
jpmcb
approved these changes
Apr 24, 2023
stmcginnis
force-pushed
the
template-mode
branch
from
April 24, 2023 20:54
3c8bdf9
to
0db8fc7
Compare
Force push to resolve merge conflict. |
This adds the ability to specify the permission mode of files created from a template. This enables the ability to have file-by-file control for sensitive files to enforce more restrictive permissions. Signed-off-by: Sean McGinnis <stmcg@amazon.com>
bcressey
approved these changes
May 4, 2023
This adds a migration for the addition of the mode property for a few of the Kubernetes template files. Signed-off-by: Sean McGinnis <stmcg@amazon.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue number:
N/A
Description of changes:
This adds the ability to specify the permission mode of files created from a template. This enables the ability to have file-by-file control for sensitive files to enforce more restrictive permissions.
Note that Bottlerocket is not a multiuser system and this is just extra precaution to change the permissions on these files. It does happen from time to time that security tools meant for more general purpose Linux distributions are run against Bottlerocket and report issues based on the default file permissions, so this is partly a cosmetic change to prevent these tools from report false errors.
Testing done:
Built and deployed EKS cluster. Verified that the file permissions on the modified template files were set to the correct permissions and that the system operated as expected.
Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.