Profile applicability: Level 1
Ensure that if the kubelet refers to a configuration file with the
--config argument, that file has permissions of 600 or more restrictive.The kubelet reads various parameters, including security settings, from a config file
specified by the
--config argument. If this file is specified you should restrict its file permissions to maintain
the integrity of the file. The file should be writable by only the administrators
on the system. |
NoteBy default, the
/var/lib/kubelet/config.json file has permissions of 600. |
Audit
In OpenShift 4, the kubelet configuration file is managed by the Machine Config Operator
and is found at
/var/lib/kubelet/config.json or /var/data/kubelet/config.json with file permissions set to 600.For OpenShift 4.13 and above, run the following command to check the permission:
for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')
do
oc debug node/${node} -- chroot /host stat -c %a
/var/data/kubelet/config.json
done
For earlier versions of OpenShift, run the following command to check the permission:
for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')
do
oc debug node/${node} -- chroot /host stat -c %a
/var/lib/kubelet/config.json
done
Verify that the permissions are 600.