CIS-1.1.20 - Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive

Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive

Note: to enable this control run Kubescape with host sensor (see here)

Framework

CIS

Severity

High

Description of the the issue

Kubernetes makes use of a number of certificate files as part of the operation of its components. The permissions on these files should be set to 600 or more restrictive to protect their integrity.

Related resources

What does this control test

Ensure that Kubernetes PKI certificate files have permissions of 600 or more restrictive.

How to check it manually

Run the below command (based on the file location on your system) on the Control Plane node. For example,

ls -laR /etc/kubernetes/pki/*.crt

Verify that the permissions are 600 or more restrictive.

Remediation

Run the below command (based on the file location on your system) on the Control Plane node. For example,

chmod -R 600 /etc/kubernetes/pki/*.crt

Impact Statement

None

Default Value

By default, the certificates used by Kubernetes are set to have permissions of 644

Example

No example