An XCCDF Group - A logical subset of the XCCDF Benchmark
/etc/kubernetes/kubelet.conf
$ sudo chgrp root /etc/kubernetes/kubelet.conf
sdn-config
/config
sdn
--proxy-config
oc get -nopenshift-sdn ds sdn -ojson | jq -r '.spec.template.spec.containers[] | select(.name == "sdn")'
/config/kube-proxy-config.yaml
config
/etc/kubernetes/kubelet-ca.crt
$ sudo chgrp root /etc/kubernetes/kubelet-ca.crt
/var/lib/kubelet/kubeconfig
$ sudo chgrp root /var/lib/kubelet/kubeconfig
/etc/systemd/system/kubelet.service
$ sudo chgrp root /etc/systemd/system/kubelet.service
/var/lib/kubelet/config.json
$ sudo chown root /var/lib/kubelet/config.json
$ sudo chown root /etc/kubernetes/kubelet.conf
$ sudo chown root /etc/kubernetes/kubelet-ca.crt
$ sudo chown root /var/lib/kubelet/kubeconfig
$ sudo chown root /etc/systemd/system/kubelet.service
$ sudo chmod 0600 /var/lib/kubelet/config.json
$ sudo chmod 0644 /etc/kubernetes/kubelet.conf
{ "configMap": { "defaultMode": 420, "name": "sdn-config" }, "name": "config" }
$ sudo chmod 0644 /etc/kubernetes/kubelet-ca.crt
$ sudo chmod 0600 /var/lib/kubelet/kubeconfig
$ sudo chmod 0644 /etc/systemd/system/kubelet.service