kube-bench icon indicating copy to clipboard operation
kube-bench copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

Check 4.17

Open SeryioGonzalez opened this issue 3 years ago • 1 comments

Check 4.1.7 is based on flag --ca-file, but CA FILE can be passed in kubelet-config.yaml

SeryioGonzalez avatar Oct 15 '22 20:10 SeryioGonzalez

@SeryioGonzalez not sure which version of CIS you were referring to, but in general check 4.1.7 Ensure that the certificate authorities file permissions are set to 6XX or more restrictive (Manual), has two possible conditions:

  1. Either $CAFILE path is retrieved through the running process definition, with --client-ca-file=.
  2. Or $CAFILE value is retrieved from the configmap variable $kubeletcafile, in case the former condition is not fulfilled.

My take is that it's better to validate the confs when they are loaded and used, however it might be relevant also to confirm where they originate from and test this origin (in your case kubelet-config.yaml).

andypitcher avatar Apr 30 '24 19:04 andypitcher