C-0238 - Ensure that the kubeconfig file permissions are set to 644 or more restrictive

Prerequisites

Run Kubescape with host sensor (see here)

Framework

cis-aks-t1.2.0, cis-eks-t1.2.0

Severity

Medium

Description of the the issue

The kubelet kubeconfig file controls various parameters of the kubelet service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.

It is possible to run kubelet with the kubeconfig parameters configured as a Kubernetes ConfigMap instead of a file. In this case, there is no proxy kubeconfig file.

Related resources

What does this control test

If kubelet is running, and if it is configured by a kubeconfig file, ensure that the proxy kubeconfig file has permissions of 644 or more restrictive.

How to check it manually

SSH to the worker nodes

To check to see if the Kubelet Service is running:

sudo systemctl status kubelet

The output should return Active: active (running) since..

Run the following command on each node to find the appropriate kubeconfig file:

ps -ef | grep kubelet

The output of the above command should return something similar to --kubeconfig /var/lib/kubelet/kubeconfig which is the location of the kubeconfig file.

Run this command to obtain the kubeconfig file permissions:

stat -c %a /var/lib/kubelet/kubeconfig

The output of the above command gives you the kubeconfig file's permissions.

Verify that if a file is specified and it exists, the permissions are 644 or more restrictive.

Remediation

Run the below command (based on the file location on your system) on the each worker
node. For example,

chmod 644 <kubeconfig file>

Impact Statement

None.

Default Value

See the AWS EKS documentation for the default value.

Example

No example