Skip to content

Verify Permissions on the OpenShift PKI Certificate Files

An XCCDF Rule

Description

To properly set the permissions of /etc/kubernetes/static-pod-resources/kube-*/secrets/*/tls.crt, run the command:

$ sudo chmod 0600 /etc/kubernetes/static-pod-resources/kube-*/secrets/*/tls.crt

warning alert: Dependency Warning

This rule is only applicable for nodes that run the Kubernetes Control Plane. The aforementioned service is only running on the nodes labeled "master" by default.

Rationale

OpenShift makes use of a number of certificate files as part of the operation of its components. The permissions on these files should be set to

600
or more restrictive to protect their integrity.

ID
xccdf_org.ssgproject.content_rule_file_permissions_openshift_pki_cert_files
Severity
Medium
References
Updated