Verify Permissions on the OpenShift Admin Kubeconfig Files

An XCCDF Rule

Description

To properly set the permissions of /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig, run the command:

$ sudo chmod 0600 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig

warning alert: Dependency Warning

This rule is only applicable for nodes that run the Kubernetes Control Plane. The aforementioned service is only running on the nodes labeled "master" by default.

Rationale

There are various kubeconfig files that can be used by the administrator, defining various settings for the administration of the cluster. These files contain credentials that can be used to control the cluster and are needed for disaster recovery and each kubeconfig points to a different endpoint in the cluster. You should restrict its file permissions to maintain the integrity of the kubeconfig file as an attacker who gains access to these files can take over the cluster.

ID: xccdf_org.ssgproject.content_rule_file_permissions_master_admin_kubeconfigs
Severity: Medium
References: CIP-003-8 R6 CIP-004-6 R3 CIP-007-3 R6.1

CM-6 CM-6(1)

SRG-APP-000516-CTR-001325

1.1.13

CCE-84278-1
Updated: about 1 year ago