data.yaml

metadata:
  id: ab555e6d-b77e-5c85-b6a8-333f7e567b6b
  name: Ensure that the kubelet configuration file ownership is set to root:root
  profile_applicability: '* Level 1'
  description: |-
    Ensure that if the kubelet refers to a configuration file with the `--config` argument, that file is owned by root:root.
  rationale: |-
    The kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument.
    If this file is specified you should restrict its file permissions to maintain the integrity of the file.
    The file should be writable by only the administrators on the system.
  audit: |-
    First, SSH to the relevant worker node:

    To check to see if the Kubelet Service is running:
    ```
    sudo systemctl status kubelet
    ```
    The output should return `Active: active (running) since..`

    Run the following command on each node to find the appropriate Kubelet config file:

    ```
    ps -ef | grep kubelet
    ```
    The output of the above command should return something similar to `--config /etc/kubernetes/kubelet/kubelet-config.json` which is the location of the Kubelet config file.

    Run the following command:

    ```
    stat -c %U:%G /etc/kubernetes/kubelet/kubelet-config.json
    ```
    The output of the above command is the Kubelet config file's ownership.
    Verify that the ownership is set to `root:root`
  remediation: |-
    Run the following command (using the config file location identified in the Audit step)

    ```
    chown root:root /etc/kubernetes/kubelet/kubelet-config.json
    ```
  impact: None
  default_value: |
    See the AWS EKS documentation for the default value.
  references: 1. https://kubernetes.io/docs/admin/kube-proxy/
  section: Worker Node Configuration Files
  version: '1.0'
  tags:
  - CIS
  - EKS
  - CIS 3.1.4
  - Worker Node Configuration Files
  benchmark:
    name: CIS Amazon Elastic Kubernetes Service (EKS)
    version: v1.0.1
    id: cis_eks
    rule_number: 3.1.4
    posture_type: kspm