Verify Group Who Owns The OpenShift Admin Kubeconfig Files

An XCCDF Rule

Description

To properly set the group owner of /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig, run the command:

$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig

warning alert: Dependency Warning

This rule is only applicable for nodes that run the Kubernetes API server service. The aforementioned service is only running on the nodes labeled "master" by default.

Rationale

There are various kubeconfig files that can be used by the administrator, defining various settings for the administration of the cluster. These files contain credentials that can be used to control the cluster and are needed for disaster recovery and each kubeconfig points to a different endpoint in the cluster. You should restrict its file permissions to maintain the integrity of the kubeconfig file as an attacker who gains access to these files can take over the cluster.

ID: xccdf_org.ssgproject.content_rule_file_groupowner_master_admin_kubeconfigs
Severity: Medium
References: CIP-003-8 R6 CIP-004-6 R3 CIP-007-3 R6.1

CM-6 CM-6(1)

SRG-APP-000516-CTR-001325

1.1.14

CCE-84204-7
Updated: about 1 year ago