From 2ec6ee7039fd68c27c11574aefa18e0ca0e26619 Mon Sep 17 00:00:00 2001
From: Md Irshad Sheikh <mdirshad.sheikh@windriver.com>
Date: Thu, 23 Jan 2025 01:20:35 -0500
Subject: [PATCH] Change admin.conf file ownership to root:root

In this commit, added the code to change the /etc/kubenetes/admin.conf
file ownership to root:root in fresh install.

Also, added the code to run the command
"setfacl -m g:sys_protected:r /etc/kubernetes/admin.conf" such that
all the WRCP users/applications that are in the sys_protected group
continue to have read access to this file.

TEST CASES:

PASSED: Checked ownership using below command
        "ls -al /etc/kubernetes/admin.conf".
PASSES: Checked the file permission using below command which
        will show 640.
        "stat -c %a /etc/kubernetes/admin.conf"
PASSED: Checked the ACL entries using below command
        "getfacl /etc/kubernetes/admin.conf".
PASSED: No error when ran "system host-swact" in AIO-DX.
PASSED: No alarms when ran "fm alarm-list".
PASSED: Verified that sysinv can read admin.conf file using below
        commands:

        "sudo -u sysinv cat "/etc/kubernetes/admin.conf" &>/dev/null"
        "sudo -u sysadmin cat "/etc/kubernetes/admin.conf" &>/dev/null"

        Added "testuser" to the users group and ran below command and
        this gives output "can not read /etc/kubernetes/admin.conf":

        sudo -u "testuser" cat "/etc/kubernetes/admin.conf" &>/dev/null

        Also verified using system command which can read admin.conf:
        "system service-parameter-modify kubernetes kube_apiserver
        audit-log-maxage=30"

Story: 2011334
Task: 51610

Change-Id: I6097f9f4863d83f69b5e804fec6cf4a02607c799
Signed-off-by: Md Irshad Sheikh <mdirshad.sheikh@windriver.com>
---
 .../src/modules/platform/manifests/kubernetes.pp     | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/puppet-manifests/src/modules/platform/manifests/kubernetes.pp b/puppet-manifests/src/modules/platform/manifests/kubernetes.pp
index 634b64da6..bdb1416d1 100644
--- a/puppet-manifests/src/modules/platform/manifests/kubernetes.pp
+++ b/puppet-manifests/src/modules/platform/manifests/kubernetes.pp
@@ -461,9 +461,13 @@ class platform::kubernetes::master::init
     -> file { '/etc/kubernetes/admin.conf':
       ensure => file,
       owner  => 'root',
-      group  => $::platform::params::protected_group_name,
+      group  => 'root',
       mode   => '0640',
     }
+    -> exec { 'set_acl_on_admin_conf':
+      command   => 'setfacl -m g:sys_protected:r /etc/kubernetes/admin.conf',
+      logoutput => true,
+    }
     # Fresh installation with Kubernetes 1.29 generates the super-admin.conf
     # only in controller-0 and not in controller-1. The following command
     # generates the super-admin.conf in controller-1.
@@ -558,9 +562,13 @@ class platform::kubernetes::master::init
     # to kube config during the host reboots after the initial install.
     file { '/etc/kubernetes/admin.conf':
       owner => 'root',
-      group => 'sys_protected',
+      group => 'root',
       mode  => '0640',
     }
+    -> exec { 'set_acl_on_admin_conf':
+      command   => 'setfacl -m g:sys_protected:r /etc/kubernetes/admin.conf',
+      logoutput => true,
+    }
 
     # Regenerate CPUShares since we may reconfigure number of platform cpus
     file { '/etc/systemd/system/kubelet.service.d/kubelet-cpu-shares.conf':