hardening: Enable setting templated file permissions #2921
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
stmcginnis
force-pushed
the
template-mode
branch
from
535c339
to
d082d2f
Compare
stmcginnis
force-pushed
the
template-mode
branch
from
d082d2f
to
88e235d
Compare
bcressey
reviewed
Apr 4, 2023
stmcginnis
force-pushed
the
template-mode
branch
from
88e235d
to
d40b1ae
Compare
stmcginnis
force-pushed
the
template-mode
branch
from
d40b1ae
to
039a19a
Compare
|
Rebased to address |
stmcginnis
force-pushed
the
template-mode
branch
from
039a19a
to
3c8bdf9
Compare
yeazelm
approved these changes
Apr 24, 2023
jpmcb
approved these changes
Apr 24, 2023
stmcginnis
force-pushed
the
template-mode
branch
from
3c8bdf9
to
0db8fc7
Compare
|
Force push to resolve merge conflict. |
This adds the ability to specify the permission mode of files created from a template. This enables the ability to have file-by-file control for sensitive files to enforce more restrictive permissions. Signed-off-by: Sean McGinnis <stmcg@amazon.com>
bcressey
approved these changes
May 4, 2023
This adds a migration for the addition of the mode property for a few of the Kubernetes template files. Signed-off-by: Sean McGinnis <stmcg@amazon.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue number:
N/A
Description of changes:
This adds the ability to specify the permission mode of files created from a template. This enables the ability to have file-by-file control for sensitive files to enforce more restrictive permissions.
Note that Bottlerocket is not a multiuser system and this is just extra precaution to change the permissions on these files. It does happen from time to time that security tools meant for more general purpose Linux distributions are run against Bottlerocket and report issues based on the default file permissions, so this is partly a cosmetic change to prevent these tools from report false errors.
Testing done:
Built and deployed EKS cluster. Verified that the file permissions on the modified template files were set to the correct permissions and that the system operated as expected.
Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.