Profile applicability: Level 1 - Worker Node
Ensure that the
kubelet.conf file has permissions of 600 or more
restrictive.The
kubelet.conf file is the kubeconfig file for the node, and controls
various parameters that set the behavior and identity of the worker node. You should
restrict its
file permissions to maintain the integrity of the file. The file should be writable
by only the
administrators on the system. |
NoteBy default,
kubelet.conf file has permissions of 600. |
Audit
Automated AAC auditing has been modified to allow CIS-CAT to input a variable for
the
<PATH>/<FILENAME> of the kubelet config file. Set $kubelet_config=<PATH> based on
the
file location on your system:
export kubelet_config=/etc/kubernetes/kubelet.conf
To perform the audit manually, run the below command (based on the file location on
your
system) on the each worker node:
stat -c %a /etc/kubernetes/kubelet.conf
Verify that the ownership is set to
root:root. Verify that the permissions
are 600 or more restrictive.Remediation
Run the below command (based on the file location on your system) on the each worker
node:
chmod 600 /etc/kubernetes/kubelet.conf