Views:
Profile applicability: Level 1
If kube-proxy is running, ensure that the file ownership of its kubeconfig file is set to root:root.
The kubeconfig file for kube-proxy controls various parameters for the kube-proxy service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.
Note
Note
The default ownership of the proxy kubeconfig file is root:root.

Impact

Overly permissive file access increases the security risk to the platform.

Audit

Using Google Cloud Console
  1. Go to Kubernetes Engine.
  2. Click on the desired cluster to open the Details page, then click on the desired Node pool to open the Node pool Details page.
  3. Note the name of the desired node.
  4. Go to VM Instances.
  5. Find the desired node and click on SSH to open an SSH connection to the node.
Using Command Line
Method 1: SSH to the worker nodes
  1. To check to see if the Kubelet Service is running: 
    sudo systemctl status kubelet
  2. The output should return Active: active (running) since.... Run the following command on each node to find the appropriate kubeconfig file: 
    ps -ef | grep kubelet
  3. The output of the above command should return something similar to --kubeconfig/var/lib/kubelet/kubeconfig, which is the location of the kubeconfig file.
  4. Run this command to obtain the kubeconfig file ownership: 
    stat -c %U:%G /var/lib/kubelet/kubeconfig
  5. The output of the above command gives you the kubeconfig file's ownership. Verify that the ownership is set to root:root.
Method 2: Create and Run a Privileged Pod
  1. Run a pod that is privileged enough to access the host's file system by deploying a pod that uses the hostPath volume to mount the node's file system into the pod. Here's an example of a simple pod definition that mounts the root of the host to /host within the pod: 
    apiVersion: v1
kind: Pod
metadata:
name: file-check
spec:
volumes:
- name: host-root
hostPath:
path: /
type: Directory
containers:
- name: nsenter
image: busybox
command: ["sleep", "3600"]
volumeMounts:
- name: host-root
mountPath: /host
securityContext:
privileged: true
  2. Save this to a file (e.g., file-check-pod.yaml) and create the pod: 
    kubectl apply -f file-check-pod.yaml
  3. Once the pod is running, you can exec into it to check file ownership on the node: 
    kubectl exec -it file-check -- sh
  4. Now you are in a shell inside the pod, but you can access the node's file system through the /host directory and check the ownership of the file: 
    ls -l /host/var/lib/kubelet/kubeconfig
  5. Verify that the ownership is set to root:root.

Remediation

Run the below command (based on the file location on your system) on each worker node:
chown root:root <proxy kubeconfig file>