UCF STIG Viewer Logo

The Kubernetes manifests must have least privileges.


Overview

Finding ID Version Rule ID IA Controls Severity
V-242408 CNTR-K8-000900 SV-242408r712580_rule Medium
Description
The manifest files contain the runtime configuration of the API server, scheduler, controller, and etcd. If an attacker can gain access to these files, changes can be made to open vulnerabilities and bypass user authorizations inherent within Kubernetes with RBAC implemented. Satisfies: SRG-APP-000133-CTR-000310, SRG-APP-000133-CTR-000295
STIG Date
Kubernetes Security Technical Implementation Guide 2021-04-14

Details

Check Text ( C-45683r712578_chk )
On the Master node, change to the /etc/kubernetes/manifest directory. Run the command:

ls -l *

Each manifest file must have permissions "644" or more restrictive.

If any manifest file is less restrictive than "644", this is a finding.
Fix Text (F-45641r712579_fix)
On the Master node, change to the /etc/kubernetes/manifest directory. Run the command:

chmod 644 *

To verify the change took place, run the command:

ls -l *

All the manifest files should now have privileges of "644".