C-0171 - If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root

Prerequisites

Run Kubescape with host sensor (see here)

Framework

cis-eks-t1.2.0, cis-v1.23-t1.0.1, cis-aks-t1.2.0

Severity

High

Description of the the issue

The kubelet reads various parameters, including security settings, from a config file specified by the --config argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be owned by root:root.

Related resources

What does this control test

Ensure that if the kubelet refers to a configuration file with the --config argument, that file is owned by root:root.

How to check it manually

Run the below command (based on the file location on your system) on the each worker node. For example,

stat -c %a /var/lib/kubelet/config.yaml
```Verify that the ownership is set to `root:root`.

Remediation

Run the following command (using the config file location identied in the Audit step)

chown root:root /etc/kubernetes/kubelet.conf

Impact Statement

None

Default Value

By default, /var/lib/kubelet/config.yaml file as set up by kubeadm is owned by root:root.

Example

No example