CIS-4.1.3 - If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive

If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive

Note: to enable this control run Kubescape with host sensor (see here)

Framework

CIS

Severity

Medium

Description of the the issue

The kube-proxy kubeconfig file controls various parameters of the kube-proxy service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.

It is possible to run kube-proxy with the kubeconfig parameters configured as a Kubernetes ConfigMap instead of a file. In this case, there is no proxy kubeconfig file.

Related resources

What does this control test

If kube-proxy is running, and if it is using a file-based kubeconfig file, ensure that the proxy kubeconfig file has permissions of 600 or more restrictive.

How to check it manually

Find the kubeconfig file being used by kube-proxy by running the following command:

ps -ef | grep kube-proxy

If kube-proxy is running, get the kubeconfig file location from the --kubeconfig parameter.

To perform the audit:

Run the below command (based on the file location on your system) on the each worker node. For example,

stat -c %a <path><filename>

Verify that a file is specified and it exists with permissions are 600 or more restrictive.

Remediation

Run the below command (based on the file location on your system) on the each worker node. For example,

chmod 600 <proxy kubeconfig file>

Impact Statement

None

Default Value

By default, proxy file has permissions of 640.

Example

No example