Skip to main content

lacework-global-317

3.1.2 Ensure that the kubelet kubeconfig file ownership is set to root:root (Automated)

note

This rule has been changed to automated, see Automated Policies for CIS Amazon EKS 1.1.0 for details.

Profile Applicability

• Level 1

Description

If kubelet is running, ensure that the file ownership of its kubeconfig file is set to root:root.

Rationale

The kubeconfig file for kubelet controls various parameters for the kubelet service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.

Impact

None

Audit

SSH to the worker nodes

To check to see if the Kubelet Service is running:

sudo systemctl status kubelet

The output should return Active: active (running) since..

Run the following command on each node to find the appropriate kubeconfig file:

ps -ef | grep kubelet

The output of the above command should return something similar to --kubeconfig /var/lib/kubelet/kubeconfig which is the location of the kubeconfig file.

Run this command to obtain the kubeconfig file ownership:

stat -c %U:%G /var/lib/kubelet/kubeconfig

The output of the above command gives you the kubeconfig file's ownership. Verify that the ownership is set to root:root.

Remediation

Run the below command (based on the file location on your system) on each worker node:

chown root:root <proxy kubeconfig file>

References

https://kubernetes.io/docs/admin/kube-proxy/