1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


Ensure that the /etc/kubernetes/manifests/etcd.yaml file has permissions of 600 or more restrictive.


The etcd pod specification file /etc/kubernetes/manifests/etcd.yaml controls various parameters that set the behavior of the etcd service in the master node. etcd is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.



NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


There is no remediation for updating the permissions of etcd-pod.yaml. The file is owned by an OpenShift operator and any changes to the file will result in a degraded cluster state.
Please do not attempt to remediate the permissions of this file.

Default Value:

By default, in OpenShift 4, /etc/kubernetes/manifests/etcd-pod.yaml file has permissions of 644.

By default, in OpenShift 4.14, the etcd-pod.yaml has permissions of 600.

In older versions of OpenShift, the etcd-pod.yaml has permissions of 644, and is not remediable. Please upgrade to OpenShift 4.14 when possible.

See Also