3.1.1 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

If kube-proxy is running, and if it is using a file-based kubeconfig file, ensure that the proxy kubeconfig file has permissions of 644 or more restrictive.

Rationale:

The kube-proxy kubeconfig file controls various parameters of the kube-proxy service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.

It is possible to run kube-proxy with the kubeconfig parameters configured as a Kubernetes ConfigMap instead of a file. In this case, there is no proxy kubeconfig file.

Solution

Run the below command (based on the file location on your system) on the each worker
node. For example,

chmod 644 <proxy kubeconfig file>

Impact:

None.

Default Value:

See the GKE documentation for the default value.

See Also

https://workbench.cisecurity.org/files/2764