C-0165 - If proxy kubeconfig file exists ensure ownership is set to root:root
Prerequisites
Run Kubescape with host sensor (see here)
Framework
cis-v1.23-t1.0.1
Severity
Medium
Description of the the issue
The kubeconfig file for kube-proxy
controls various parameters for the kube-proxy
service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root
.
Related resources
What does this control test
If kube-proxy
is running, ensure that the file ownership of its kubeconfig file is set to root:root
.
How to check it manually
Find the kubeconfig file being used by kube-proxy
by running the following command:
ps -ef | grep kube-proxy
If kube-proxy
is running, get the kubeconfig file location from the --kubeconfig
parameter.
To perform the audit:
Run the below command (based on the file location on your system) on the each worker node. For example,
stat -c %U:%G <path><filename>
Verify that the ownership is set to root:root
.
Remediation
Run the below command (based on the file location on your system) on the each worker node. For example,
chown root:root <proxy kubeconfig file>
Impact Statement
None
Default Value
By default, proxy
file ownership is set to root:root
.
Example
No example
Updated 3 days ago