0400-k8s-node-conf-priv-kubernetes Configuration File Permissions Not Set to 644 or Higher
Rule ID
Category
Level
Compatible Versions
Description
- If you are using a Kubernetes node on a computer managed by systemd, please verify that the permissions of the kubernetes.service file are correctly set to 644 or more restrictive.
Scan Frequency
Theoretical Basis
- The kubernetes.service file contains sensitive parameters that can alter the behavior of the Kubernetes daemon. Therefore, no user other than root should be able to write to it to maintain the integrity of the file.
Risk Items
Audit Method
- Execute the following commands to verify that the file permissions are set to "644" or more restrictive:
stat -c %a /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
stat -c %a /etc/kubernetes/kubelet.conf
stat -c %a /var/lib/kubelet/config.yaml
- Execute the following commands to modify the permissions of the three configuration files:
#> chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf /etc/kubernetes/kubelet.conf /var/lib/kubelet/config.yaml
Impact
Default Values
- This file may not exist on the system. In this case, this recommendation does not apply. By default, if the file exists, the file permissions will be correctly set to 644.
References
CIS Controls