| Property | |
|---|---|
| Language |  |
| Severity |  |
Ensure that the API server pod specification file has permissions of 600 or more restrictive.
Change the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml permissions of 600 or more restrictive
| Property | |
|---|---|
| Language | |
| Severity |  |
The certificate authorities file is configured with permissions that are too permissive, allowing access beyond the file owner. This increases the risk that unauthorized users or processes could read or modify sensitive certificate data.
If exploited, unauthorized individuals could gain access to trusted certificate information, potentially enabling man-in-the-middle attacks, interception of encrypted traffic, or unauthorized system access. This undermines the security of authentication and encrypted communications across the environment.
| Property | |
|---|---|
| Language | |
| Severity | |
The client certificate authorities file is not owned by root:root, which allows unauthorized users or processes to modify trusted CA certificates. This misconfiguration undermines the trust model of certificate-based authentication.
If exploited, attackers could replace or tamper with CA certificates, enabling them to intercept, decrypt, or impersonate secure communications within the cluster, potentially leading to privilege escalation or total compromise of the environment.
| Property | |
|---|---|
| Language | |
| Severity | |
Ensure that the container network interface file ownership is set to root:root.
Change the container network interface file path/to/cni/files ownership to root:root
| Property | |
|---|---|
| Language | |
| Severity | |
Ensure that the container network interface file has permissions of 600 or more restrictive.
Change the container network interface file path/to/cni/files permissions of 600 or more restrictive
| Property | |
|---|---|
| Language | |
| Severity | |
Ensure that the controller manager pod specification file ownership is set to root:root.
Change the controller manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml ownership to root:root
| Property | |
|---|---|
| Language | |
| Severity | |
Ensure that the controller-manager config file ownership is set to root:root.
Change the controller-manager config file /etc/kubernetes/controller-manager.conf ownership to root:root
| Property | |
|---|---|
| Language | |
| Severity | |
The controller-manager configuration file has overly permissive permissions, allowing unauthorized users to read or modify its contents. Secure file permissions (600 or more restrictive) are not enforced, exposing sensitive configuration data.
If exploited, attackers with local access could read or alter the controller-manager’s configuration, potentially gaining control over cluster operations or disrupting Kubernetes functionality, leading to privilege escalation or denial of service.
| Property | |
|---|---|
| Language | |
| Severity |  |
The etcd data directory (/var/lib/etcd) is not owned by the etcd user and group, which allows unauthorized users or processes to access or modify its contents. This misconfiguration undermines the integrity and confidentiality of etcd data.
If exploited, unauthorized users or processes could read, modify, or delete etcd database files, potentially leading to compromise of sensitive cluster data, disruption of cluster operations, or escalation of privileges within the Kubernetes environment.
| Property | |
|---|---|
| Language | |
| Severity | |
The etcd data directory is configured with overly permissive permissions, allowing access to users other than the owner. This increases the risk of unauthorized read or write access to sensitive cluster data.
If exploited, unauthorized users on the host could access or modify etcd data, potentially leading to compromise of Kubernetes secrets, cluster configuration, or denial of service, undermining the entire cluster’s security.