The Kubernetes KubeletConfiguration file must be owned by root.

An XCCDF Rule

Description

<VulnDiscussion>The kubelet configuration file contains the runtime configuration of the kubelet service. If an attacker can gain access to this file, changes can be made to open vulnerabilities and bypass user authorizations inherent within Kubernetes with RBAC implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-242406r918168_rule
Severity: Medium
References: CCI-001499
Updated: 8 months ago

On the Control Plane and Worker nodes, change to the --config directory. Run the command:
chown root:root kubelet

To verify the change took place, run the command:
ls -l kubelet
The kubelet file should now be owned by root:root.

The Kubernetes KubeletConfiguration file must be owned by root.

Description

Remediation - Manual Procedure