1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
documentation_complete: true
title: 'Verify Permissions on the OpenShift Controller Manager Kubeconfig File'
description: |-
{{{ describe_file_permissions(file="/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig", perms="0600") }}}
rationale: |-
The Controller Manager's kubeconfig contains information about how the
component will access the API server. You should restrict its file
permissions to maintain the integrity of the file. The file should be
writable by only the administrators on the system.
identifiers:
cce@ocp4: CCE-83604-9
severity: medium
references:
cis@ocp4: 1.1.17
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
srg: SRG-APP-000516-CTR-001325
ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig", perms="-rw-------") }}}'
ocil: |-
{{{ ocil_file_permissions(file="/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig", perms="-rw-------") }}}
platform: ocp4-master-node
warnings:
- dependency: |-
This rule is only applicable for nodes that run the Kubernetes Controller Manager service.
The aforementioned service is only running on the nodes labeled
"master" by default.
template:
name: file_permissions
vars:
filepath: ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/configmaps/controller-manager-kubeconfig/kubeconfig$
filemode: '0600'
filepath_is_regex: "true"
|
