C-0171 - If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root
Prerequisites
Run Kubescape with host sensor (see here)
Framework
cis-v1.23-t1.0.1, cis-aks-t1.2.0, cis-eks-t1.2.0
Severity
High
Description of the the issue
The kubelet reads various parameters, including security settings, from a config file specified by the --config
argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be owned by root:root.
Related resources
What does this control test
Ensure that if the kubelet refers to a configuration file with the --config
argument, that file is owned by root:root.
How to check it manually
Run the below command (based on the file location on your system) on the each worker node. For example,
stat -c %a /var/lib/kubelet/config.yaml
```Verify that the ownership is set to `root:root`.
Remediation
Run the following command (using the config file location identied in the Audit step)
chown root:root /etc/kubernetes/kubelet.conf
Impact Statement
None
Default Value
By default, /var/lib/kubelet/config.yaml
file as set up by kubeadm
is owned by root:root
.
Example
No example
Updated 11 days ago