1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive

Information

Ensure that Kubernetes PKI certificate files have permissions of 644 or more restrictive.

Rationale:

Kubernetes makes use of a number of certificate files as part of the operation of its components. The permissions on these files should be set to 644 or more restrictive to protect their integrity.

Solution

Run the below command (based on the file location on your system) on the master node. For example,

chmod -R 644 /etc/kubernetes/pki/*.crt

Impact:

None

Default Value:

By default, the certificates used by Kubernetes are set to have permissions of 644

References:

https://kubernetes.io/docs/admin/kube-apiserver/

See Also

https://workbench.cisecurity.org/files/2662

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv6|5.1, CSCv7|5.2

Plugin: Unix

Control ID: 473c1d6a27008b2f3a29894cc0b3e4d75b102ed3a962e74caf080a30ceaa8e9b