Profile applicability: Level 1 - Worker Node
Ensure that if the kubelet refers to a configuration file with the
--config argument, that file is owned by root:root.The kubelet reads various parameters, including security settings, from a config file
specified by the
--config argument. If this file is specified you should restrict its file permissions to maintain
the integrity of the file. The file should be owned by root:root. |
NoteBy default,
/var/lib/kubelet/config.yaml file as set up by kubeadm is owned by root:root. |
Audit
Automated AAC auditing has been modified to allow CIS-CAT to input a variable for
the <PATH>/<FILENAME> of the kubelet config yaml file.
Please set $kubelet_config_yaml=<PATH> based on the file location on your system for
example:
export kubelet_config_yaml=/var/lib/kubelet/config.yaml
To perform the audit manually:
Run the below command (based on the file location on your system) on the each worker
node:
stat -c %U:%G /var/lib/kubelet/config.yaml
Verify that the ownership is set to
root:root.Remediation
Run the following command (using the config file location identied in the Audit step):
chown root:root /etc/kubernetes/kubelet.conf