Profile applicability: Level 1 - Worker Node
Ensure that the
kubelet.conf file has permissions of 600 or more restrictive.The
kubelet.conf file is the kubeconfig file for the node, and controls various parameters that set
the behavior and identity of the worker node. You should restrict its file permissions
to maintain the integrity of the file. The file should be writable by only the administrators
on the system. |
NoteBy default,
kubelet.conf file has permissions of 600. |
Audit
Automated AAC auditing has been modified to allow CIS-CAT to input a variable for
the <PATH>/<FILENAME> of the kubelet config file. Set $kubelet_config=<PATH> based
on the file location on your system:
export kubelet_config=/etc/kubernetes/kubelet.conf
To perform the audit manually, run the below command (based on the file location on
your system) on the each worker node:
stat -c %a /etc/kubernetes/kubelet.conf
Verify that the ownership is set to
root:root. Verify that the permissions are 600 or more restrictive.Remediation
Run the below command (based on the file location on your system) on the each worker
node:
chmod 600 /etc/kubernetes/kubelet.conf