4.1.10 If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root

Information

Ensure that if the kubelet refers to a configuration file with the --config argument, that file is owned by root:root.

Rationale:

The kubelet reads various parameters, including security settings, from a config file specified by the --config argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be owned by root:root.

Impact:

None

Solution

Run the following command (using the config file location identified in the Audit step)

chown root:root /etc/kubernetes/kubelet.conf

Default Value:

By default, /var/lib/kubelet/config.yaml file as set up by kubeadm is owned by root:root.

See Also

https://workbench.cisecurity.org/files/3892