Title

The Kubernetes component etcd must be owned by etcd. (Cat II impact)

Discussion

The Kubernetes etcd key-value store provides a way to store data to the Control Plane. If these files can be changed, data to API object and the Control Plane would be compromised. The scheduler will implement the changes immediately. Many of the security settings within the document are implemented through this file.

Check Content

Review the ownership of the Kubernetes etcd files by using the command: stat -c %U:%G /var/lib/etcd/* | grep -v etcd:etcd If the command returns any non etcd:etcd file permissions, this is a finding.

Fix Text

Change the ownership of the manifest files to etcd:etcd by executing the command: chown etcd:etcd /var/lib/etcd/*

Additional Identifiers

Rule ID: SV-242445r879887_rule

Vulnerability ID: V-242445

Group Title: SRG-APP-000516-CTR-001325

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.