Verify Group Who Owns The Worker Proxy Kubeconfig File
An XCCDF Rule
Description
To ensure the Kubernetes ConfigMap is mounted into the sdn daemonset pods with the
correct ownership, make sure that the sdn-config
ConfigMap is mounted using
a ConfigMap at the /config
mount point and that the sdn
container
points to that configuration using the --proxy-config
command line option.
Run:
oc get -nopenshift-sdn ds sdn -ojson | jq -r '.spec.template.spec.containers[] | select(.name == "sdn")'and ensure the
--proxy-config
parameter points to
/config/kube-proxy-config.yaml
and that the config
mount point is
mounted from the sdn-config
ConfigMap.
Rationale
The kubeconfig file for kube-proxy provides permissions to the kube-proxy service. The proxy kubeconfig file contains information about the administrative configuration of the OpenShift cluster that is configured on the system. Protection of this file is critical for OpenShift security. The file is provided via a ConfigMap mount, so the kubelet itself makes sure that the file permissions are appropriate for the container taking it into use.
- ID
- xccdf_org.ssgproject.content_rule_file_groupowner_proxy_kubeconfig
- Severity
- Medium
- References
- Updated