Verify Permissions on the Worker Proxy Kubeconfig File

An XCCDF Rule

Description

To ensure the Kubernetes ConfigMap is mounted into the sdn daemonset pods with the correct permissions, make sure that the sdn-config ConfigMap is mounted using restrictive permissions. Check that the config VolumeMount mounts the sdn-config configMap with permissions set to 420:

{
"configMap": {
  "defaultMode": 420,
  "name": "sdn-config"
  },
"name": "config"
}

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/apps/v1/namespaces/openshift-sdn/daemonsets/sdn API endpoint to the local /apis/apps/v1/namespaces/openshift-sdn/daemonsets/sdn file.

Rationale

The kube-proxy kubeconfig file controls various parameters of the kube-proxy service in the worker node. If used, you should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system. The kube-proxy runs with the kubeconfig parameters configured as a Kubernetes ConfigMap instead of a file. In this case, there is no proxy kubeconfig file. But appropriate permissions still need to be set in the ConfigMap mount.

ID: xccdf_org.ssgproject.content_rule_file_permissions_proxy_kubeconfig
Severity: Medium
References: CIP-003-8 R6 CIP-004-6 R3 CIP-007-3 R6.1

CM-6 CM-6(1)

Req-2.2

SRG-APP-000516-CTR-001325

4.1.3

CCE-84047-0
Updated: about 1 year ago