C-0165 - If proxy kubeconfig file exists ensure ownership is set to root:root

Prerequisites

Run Kubescape with host sensor (see here)

Framework

cis-v1.23-t1.0.1

Severity

Medium

Description of the the issue

The kubeconfig file for kube-proxy controls various parameters for the kube-proxy service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.

Related resources

What does this control test

If kube-proxy is running, ensure that the file ownership of its kubeconfig file is set to root:root.

How to check it manually

Find the kubeconfig file being used by kube-proxy by running the following command:

ps -ef | grep kube-proxy

If kube-proxy is running, get the kubeconfig file location from the --kubeconfig parameter.

To perform the audit:

Run the below command (based on the file location on your system) on the each worker node. For example,

stat -c %U:%G <path><filename>

Verify that the ownership is set to root:root.

Remediation

Run the below command (based on the file location on your system) on the each worker node. For example,

chown root:root <proxy kubeconfig file>

Impact Statement

None

Default Value

By default, proxy file ownership is set to root:root.

Example

No example