Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Compliance > Kubernetes > CIS 1.24 > Worker Node Security Configuration >

Worker Node Configuration Files

N/A
Source
Kube Bench
ID
4.1
Version
cis-1.24

4.1 Worker Node Configuration Files

4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)

Run the below command (based on the file location on your system) on the each worker node. For example, chmod 600 $kubeletsvc

4.1.2 Ensure that the kubelet service file ownership is set to root:root (Automated)

Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root $kubeletsvc

4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Manual)

Run the below command (based on the file location on your system) on the each worker node. For example, chmod 600 $proxykubeconfig

4.1.4 If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)

Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root $proxykubeconfig

4.1.5 Ensure that the –kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)

Run the below command (based on the file location on your system) on the each worker node. For example, chmod 600 $kubeletkubeconfig

4.1.6 Ensure that the –kubeconfig kubelet.conf file ownership is set to root:root (Automated)

Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root $kubeletkubeconfig

4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Manual)

Run the following command to modify the file permissions of the –client-ca-file chmod 600

4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Manual)

Run the following command to modify the ownership of the –client-ca-file. chown root:root

4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Manual)

Run the following command (using the config file location identified in the Audit step) chmod 600 $kubeletconf

4.1.10 If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root (Manual)

Run the following command (using the config file location identified in the Audit step) chown root:root $kubeletconf

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use