From 19d07a4f2e8602c470736f4fe1527eb7feff117c Mon Sep 17 00:00:00 2001
From: Kenichi Omichi <ken1ohmichi@gmail.com>
Date: Tue, 19 Oct 2021 17:35:57 -0700
Subject: [PATCH] Fix ownership related to Calico (#8072)

kube-bench scan outputs warning related to Calico like:

* text: "Ensure that the Container Network Interface file
  permissions are set to 644 or more restrictive (Manual)"
* text: "Ensure that the Container Network Interface file
  ownership is set to root:root (Manual)"

This fixes these warnings.
---
 roles/container-engine/gvisor/molecule/default/prepare.yml | 2 +-
 roles/network_plugin/calico/tasks/install.yml              | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/container-engine/gvisor/molecule/default/prepare.yml b/roles/container-engine/gvisor/molecule/default/prepare.yml
index e5a7e773c..8f9ef7ddf 100644
--- a/roles/container-engine/gvisor/molecule/default/prepare.yml
+++ b/roles/container-engine/gvisor/molecule/default/prepare.yml
@@ -36,7 +36,7 @@
       file:
         path: /etc/cni/net.d
         state: directory
-        owner: kube
+        owner: root
         mode: 0755
     - name: Setup CNI
       copy:
diff --git a/roles/network_plugin/calico/tasks/install.yml b/roles/network_plugin/calico/tasks/install.yml
index 75a9e5eef..cac20ea5e 100644
--- a/roles/network_plugin/calico/tasks/install.yml
+++ b/roles/network_plugin/calico/tasks/install.yml
@@ -20,7 +20,7 @@
   template:
     src: "cni-calico.conflist.j2"
     dest: "/etc/cni/net.d/calico.conflist.template"
-    owner: kube
+    owner: root
   register: calico_conflist
   notify: reset_calico_cni
 
-- 
GitLab