Check: CNTR-K8-003230
Kubernetes STIG:
CNTR-K8-003230
(in versions v2 r2 through v1 r1)
Title
The Kubernetes kubelet config must have file permissions set to 644 or more restrictive. (Cat II impact)
Discussion
The Kubernetes kubelet agent registers nodes with the API server and performs health checks to containers within pods. If this file can be modified, the information system would be unaware of pod or container degradation.
Check Content
Review the permissions of the Kubernetes config.yaml by using the command: stat -c %a /var/lib/kubelet/config.yaml If any of the files are have permissions more permissive than "644", this is a finding.
Fix Text
Change the permissions of the config.yaml to "644" by executing the command: chmod 644 /var/lib/kubelet/config.yaml
Additional Identifiers
Rule ID: SV-242456r961863_rule
Vulnerability ID: V-242456
Group Title: SRG-APP-000516-CTR-001330
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
Implement the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |