4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive

Information

If kube-proxy is running, and if it is using a file-based kubeconfig file, ensure that the proxy kubeconfig file has permissions of 600 or more restrictive.

Rationale:

The kube-proxy kubeconfig file controls various parameters of the kube-proxy service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.

It is possible to run kube-proxy with the kubeconfig parameters configured as a Kubernetes ConfigMap instead of a file. In this case, there is no proxy kubeconfig file.

Impact:

None

Solution

Run the below command (based on the file location on your system) on each worker node. For example,

chmod 600 <proxy kubeconfig file>

Default Value:

By default, proxy file has permissions of 640.

See Also

https://workbench.cisecurity.org/files/3891