Profile applicability: Level 1 - Worker Node
Ensure that if the kubelet refers to a configuration file with the
--config
argument, that file is owned by root:root.The kubelet reads various parameters, including security settings, from a config file
specified
by the
--config argument. If this file is specified you should restrict its file
permissions to maintain the integrity of the file. The file should be owned by
root:root. |
NoteBy default,
/var/lib/kubelet/config.yaml file as set up by
kubeadm is owned by root:root. |
Audit
Automated AAC auditing has been modified to allow CIS-CAT to input a variable for
the
<PATH>/<FILENAME> of the kubelet config yaml file. Set $kubelet_config_yaml=<PATH>
based on the file location on your system:
export kubelet_config_yaml=/var/lib/kubelet/config.yaml
To perform the audit manually, run the below command (based on the file location on
your
system) on the each worker node:
stat -c %aU %G /var/lib/kubelet/config.yaml
Verify that the ownership is set to
root:root.Remediation
Run the following command (using the config file location identied in the Audit step):
chown root:root /etc/kubernetes/kubelet.conf