4.1.10 Ensure that the kubelet --config configuration file ownership is set to root:root

Information

Ensure that if the kubelet refers to a configuration file with the --config argument, that file is owned by root:root.

Rationale:

The kubelet reads various parameters, including security settings, from a config file specified by the --config argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be owned by root:root.

Impact:

None

Solution

Run the following command (using the config file location identified in the Audit step)

chown root:root /etc/kubernetes/kubelet.conf

Default Value:

By default, /etc/kubernetes/kubelet.conf file as set up by kubeadm is owned by root:root.

See Also

https://workbench.cisecurity.org/files/3891