Profile Applicability:

  • Level 1

Description:
 The kubeconfig file contains the credentials and configuration for accessing the Kubernetes cluster. It is essential to set appropriate file permissions to ensure that unauthorized users cannot access sensitive configuration information.

Rationale:
 Ensuring the correct file permissions for the kubeconfig file helps mitigate the risk of exposing sensitive cluster credentials. By restricting access to the file, organizations can prevent unauthorized users from gaining access to the Kubernetes cluster.

Impact:

  • Pros:

    • Prevents unauthorized users from accessing cluster credentials.

    • Enhances security by restricting access to sensitive configuration files.

  • Cons:

    May require additional access control management for users who need to modify or view the kubeconfig file.

Default Value:
 The kubeconfig file typically has permissions set to 644 by default, but this can vary depending on the system configuration.

Pre-requisites:
 Ensure that the kubeconfig file is present and accessible, and that you have the necessary permissions to modify its file attributes.

Remediation

Test Plan:

Using Azure Console:

  1. Use the system’s file management interface to navigate to the kubeconfig file.

  2. Verify the file permissions for the kubeconfig file.

Using Azure CLI:

  1. Use the following command to check the permissions of the kubeconfig file:

     ls -l ~/.kube/config


  2. Ensure that the file permissions are set to 644 or more restrictive.

Implementation Plan:

Using Azure Console:

  1. Navigate to the location of the kubeconfig file.

  2. Modify the file permissions to 644 or more restrictive using the file management interface.

Using Azure CLI:

  1. Update the file permissions for the kubeconfig file:

     chmod 644 ~/.kube/config

Backout Plan:

Using Azure Console:

  1. If modifying the file permissions causes issues, revert to the original file permissions using the file management interface.

Using Azure CLI:

  1. Revert the permissions to the previous state using the following command:

     chmod <previous-permissions> ~/.kube/config

References:

  1. Kubernetes Documentation on Config Files

  2. File Permissions Best Practices