data.yaml

metadata:
  id: 1915b785-942d-5613-9a24-b40394ef745f
  name: Ensure that the kubelet --config configuration file ownership is set to root:root
  profile_applicability: '* Level 1 - Worker Node'
  description: |-
    Ensure that if the kubelet refers to a configuration file with the `--config` argument, that file is owned by root:root.
  rationale: |-
    The kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument.
    If this file is specified you should restrict its file permissions to maintain the integrity of the file.
    The file should be owned by root:root.
  audit: |-
    Automated AAC auditing has been modified to allow CIS-CAT to input a variable for the <PATH>/<FILENAME> of the kubelet config yaml file.

    Please set $kubelet_config_yaml=<PATH><filename> based on the file location on your system 

    for example:
    ```
    export kubelet_config_yaml=/var/lib/kubelet/config.yaml

    ```

    To perform the audit manually:
    Run the below command (based on the file location on your system) on the each worker node.
    For example,

    ```
    stat -c %a /var/lib/kubelet/config.yaml
    ```Verify that the ownership is set to `root:root`.
  remediation: |-
    Run the following command (using the config file location identied in the Audit step)

    ```
    chown root:root /etc/kubernetes/kubelet.conf
    ```
  impact: None
  default_value: >
    By default, `/var/lib/kubelet/config.yaml` file as set up by `kubeadm` is
    owned by
    `root:root`.
  references: 1. https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/
  section: Worker Node Configuration Files
  version: '1.0'
  tags:
  - CIS
  - Kubernetes
  - CIS 4.1.10
  - Worker Node Configuration Files
  benchmark:
    name: CIS Kubernetes V1.23
    version: v1.0.1
    id: cis_k8s
    rule_number: 4.1.10
    posture_type: kspm