Control Plane Node Configuration Files

1.1 Control Plane Node Configuration Files

1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)

Recommended Action

Clusters provisioned by RKE do not require or maintain a configuration file for kube-apiserver. All configuration is passed in as arguments at container run time.

1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Automated)

Recommended Action

Cluster provisioned by RKE doesn’t require or maintain a configuration file for kube-apiserver. All configuration is passed in as arguments at container run time.

1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)

Recommended Action

Cluster provisioned by RKE doesn’t require or maintain a configuration file for controller-manager. All configuration is passed in as arguments at container run time.

1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root (Automated)

Recommended Action

Cluster provisioned by RKE doesn’t require or maintain a configuration file for controller-manager. All configuration is passed in as arguments at container run time.

1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)

Recommended Action

Cluster provisioned by RKE doesn’t require or maintain a configuration file for scheduler. All configuration is passed in as arguments at container run time.

1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root (Automated)

Recommended Action

Cluster provisioned by RKE doesn’t require or maintain a configuration file for scheduler. All configuration is passed in as arguments at container run time.

1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)

Recommended Action

Cluster provisioned by RKE doesn’t require or maintain a configuration file for etcd. All configuration is passed in as arguments at container run time.

1.1.8 Ensure that the etcd pod specification file ownership is set to root:root (Automated)

Recommended Action

Cluster provisioned by RKE doesn’t require or maintain a configuration file for etcd. All configuration is passed in as arguments at container run time.

1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)

Recommended Action

Run the below command (based on the file location on your system) on the control plane node. For example, chmod 644 <path/to/cni/files>

1.1.10 Ensure that the Container Network Interface file ownership is set to root:root (Manual)

Recommended Action

Run the below command (based on the file location on your system) on the control plane node. For example, chown root:root <path/to/cni/files>

1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)

Recommended Action

On the etcd server node, get the etcd data directory, passed as an argument –data-dir, from the command ‘ps -ef | grep etcd’. Run the below command (based on the etcd data directory found above). For example, chmod 700 /var/lib/etcd

1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)

Recommended Action

On the etcd server node, get the etcd data directory, passed as an argument –data-dir, from the command ‘ps -ef | grep etcd’. Run the below command (based on the etcd data directory found above). For example, chown etcd:etcd /var/lib/etcd

1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)

Recommended Action

A cluster provisioned by RKE does not store the kubernetes default kubeconfig credentials file on the nodes.

1.1.14 Ensure that the admin.conf file ownership is set to root:root (Automated)

Recommended Action

Cluster provisioned by RKE does not store the kubernetes default kubeconfig credentials file on the nodes.

1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)

Recommended Action

Cluster provisioned by RKE doesn’t require or maintain a configuration file for scheduler. All configuration is passed in as arguments at container run time.

1.1.16 Ensure that the scheduler.conf file ownership is set to root:root (Automated)

Recommended Action

Cluster provisioned by RKE doesn’t require or maintain a configuration file for scheduler. All configuration is passed in as arguments at container run time.

1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)

Recommended Action

Cluster provisioned by RKE doesn’t require or maintain a configuration file for controller-manager. All configuration is passed in as arguments at container run time.

1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Automated)

Recommended Action

Cluster provisioned by RKE doesn’t require or maintain a configuration file for controller-manager. All configuration is passed in as arguments at container run time.

1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)

Recommended Action

Run the below command (based on the file location on your system) on the control plane node. For example, chown -R root:root /etc/kubernetes/pki/

1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)

Recommended Action

Run the below command (based on the file location on your system) on the control plane node. For example, chmod -R 644 /etc/kubernetes/pki/*.crt

1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)

Recommended Action

Run the below command (based on the file location on your system) on the control plane node. For example, chmod -R 600 /etc/kubernetes/pki/*.key