1.1.13 Ensure that the default administrative credential file permissions are set to 600

Information

Ensure that the admin.conf file (and super-admin.conf file, where it exists) have permissions of 600.

Rationale:

As part of initial cluster setup, default kubeconfig files are created to be used by the administrator of the cluster. These files contain private keys and certificates which allow for privileged access to the cluster. You should restrict their file permissions to maintain the integrity and confidentiality of the file(s). The file(s) should be readable and writable by only the administrators on the system.

Impact:

None.

Solution

Run the below command (based on the file location on your system) on the Control Plane node. For example,

chmod 600 /etc/kubernetes/admin.conf

On Kubernetes 1.29+ the super-admin.conf file should also be modified, if present. For example,

chmod 600 /etc/kubernetes/super-admin.conf

Default Value:

By default, admin.conf and super-admin.conf have permissions of 600.

See Also

https://workbench.cisecurity.org/benchmarks/16828

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 08c4c52dbe01b4dd7746b44a89d864a311a437dd02c7e292e18a9ad9a740bdc1