C-0164 - If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive
Prerequisites
Run Kubescape with host sensor (see here)
Framework
cis-v1.23-t1.0.1
Severity
Medium
Description of the the issue
The kube-proxy
kubeconfig file controls various parameters of the kube-proxy
service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.
It is possible to run kube-proxy
with the kubeconfig parameters configured as a Kubernetes ConfigMap instead of a file. In this case, there is no proxy kubeconfig file.
Related resources
What does this control test
If kube-proxy
is running, and if it is using a file-based kubeconfig file, ensure that the proxy kubeconfig file has permissions of 600
or more restrictive.
How to check it manually
Find the kubeconfig file being used by kube-proxy
by running the following command:
ps -ef | grep kube-proxy
If kube-proxy
is running, get the kubeconfig file location from the --kubeconfig
parameter.
To perform the audit:
Run the below command (based on the file location on your system) on the each worker node. For example,
stat -c %a <path><filename>
Verify that a file is specified and it exists with permissions are 600
or more restrictive.
Remediation
Run the below command (based on the file location on your system) on the each worker node. For example,
chmod 600 <proxy kubeconfig file>
Impact Statement
None
Default Value
By default, proxy file has permissions of 640
.
Example
No example
Updated 4 months ago