C-0097 - Ensure that the scheduler pod specification file ownership is set to root:root

Prerequisites

Run Kubescape with host sensor (see here)

Framework

cis-v1.23-t1.0.1

Severity

Medium

Description of the the issue

The scheduler pod specification file controls various parameters that set the behavior of the kube-scheduler service in the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.

Related resources

What does this control test

Ensure that the scheduler pod specification file ownership is set to root:root.

How to check it manually

Run the below command (based on the file location on your system) on the Control Plane node. For example,

stat -c %U:%G /etc/kubernetes/manifests/kube-scheduler.yaml

Verify that the ownership is set to root:root.

Remediation

Run the below command (based on the file location on your system) on the Control Plane node. For example,

chown root:root /etc/kubernetes/manifests/kube-scheduler.yaml

Impact Statement

None

Default Value

By default, kube-scheduler.yaml file ownership is set to root:root.

Example

No example