Skip to content

Verify Group Who Owns The Worker Proxy Kubeconfig File

An XCCDF Rule

Description

To ensure the Kubernetes ConfigMap is mounted into the sdn daemonset pods with the correct ownership, make sure that the sdn-config ConfigMap is mounted using a ConfigMap at the /config mount point and that the sdn container points to that configuration using the --proxy-config command line option. Run:

 oc get -nopenshift-sdn ds sdn -ojson | jq -r '.spec.template.spec.containers[] | select(.name == "sdn")'
and ensure the --proxy-config parameter points to /config/kube-proxy-config.yaml and that the config mount point is mounted from the sdn-config ConfigMap.

Rationale

The kubeconfig file for kube-proxy provides permissions to the kube-proxy service. The proxy kubeconfig file contains information about the administrative configuration of the OpenShift cluster that is configured on the system. Protection of this file is critical for OpenShift security. The file is provided via a ConfigMap mount, so the kubelet itself makes sure that the file permissions are appropriate for the container taking it into use.

ID
xccdf_org.ssgproject.content_rule_file_groupowner_proxy_kubeconfig
Severity
Medium
References
Updated