Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Compliance > Kubernetes > CIS - RedHat 0.7 > Securing the OpenShift Master >

Configuration Files

N/A
Source
Kube Bench
ID
4
Version
rh-0.7

4 Configuration Files

4.1 Verify the OpenShift default permissions for the API server pod specification file

Run the below command.

chmod 600 /etc/origin/node/pods/apiserver.yaml

4.2 Verify the OpenShift default file ownership for the API server pod specification file

Run the below command on the master node.

chown root:root /etc/origin/node/pods/apiserver.yaml

4.3 Verify the OpenShift default file permissions for the controller manager pod specification file

Run the below command on the master node.

chmod 600 /etc/origin/node/pods/controller.yaml

4.4 Verify the OpenShift default ownership for the controller manager pod specification file

Run the below command on the master node.

chown root:root /etc/origin/node/pods/controller.yaml

4.5 Verify the OpenShift default permissions for the scheduler pod specification file

Run the below command.

chmod 600 stat -c permissions=%a /etc/origin/node/pods/controller.yaml

4.6 Verify the scheduler pod specification file ownership set by OpenShift

Run the below command on the master node.

chown root:root /etc/origin/node/pods/controller.yaml

4.7 Verify the OpenShift default etcd pod specification file permissions

Run the below command.

chmod 600 /etc/origin/node/pods/etcd.yaml

4.8 Verify the OpenShift default etcd pod specification file ownership

Run the below command on the master node.

chown root:root /etc/origin/node/pods/etcd.yaml

4.9 Verify the default OpenShift Container Network Interface file permissions

Run the below command.

chmod 644 -R /etc/origin/openvswitch/ /etc/cni/net.d/

4.10 Verify the default OpenShift Container Network Interface file ownership

Run the below command on the master node.

chown root:root /etc/origin/openvswitch/ /etc/cni/net.d/

4.11 Verify the default OpenShift etcd data directory permissions

On the etcd server node, get the etcd data directory, passed as an argument –data-dir , from the below command: ps -ef | grep etcd Run the below command (based on the etcd data directory found above). For example, chmod 700 /var/lib/etcd

4.12 Verify the default OpenShift etcd data directory ownership

Run the below command on the master node.

chown etcd:etcd /var/lib/etcd

4.13 Verify the default OpenShift admin.conf file permissions

Run the below command.

chmod 644 /etc/origin/master/admin.kubeconfig"

4.14 Verify the default OpenShift admin.conf file ownership

Run the below command on the master node.

chown root:root /etc/origin/master/admin.kubeconfig

4.15 Verify the default OpenShift scheduler.conf file permissions

Run the below command.

chmod 644 /etc/origin/master/openshift-master.kubeconfig

4.16 Verify the default OpenShift scheduler.conf file ownership

Run the below command on the master node.

chown root:root /etc/origin/master/openshift-master.kubeconfig

4.17 Verify the default Openshift controller-manager.conf file permissions

Run the below command.

chmod 644 /etc/origin/master/openshift-master.kubeconfig

4.18 Ensure that the controller-manager.conf file ownership is set to root:root (Scored)

Run the below command on the master node.

chown root:root /etc/origin/master/openshift-master.kubeconfig

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use