1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive

Information

Ensure that Kubernetes PKI certificate files have permissions of 600 or more restrictive.

Rationale:

Kubernetes makes use of a number of certificate files as part of the operation of its components. The permissions on these files should be set to 600 or more restrictive to protect their integrity.

Impact:

None

Solution

Run the below command (based on the file location on your system) on the Control Plane node. For example,

chmod -R 600 /etc/kubernetes/pki/*.crt

Default Value:

By default, the certificates used by Kubernetes are set to have permissions of 644

See Also

https://workbench.cisecurity.org/benchmarks/16828