| Property | |
|---|---|
| Language |  |
| Severity |  |
Description
Ensure that the etcd pod specification file ownership is set to root:root.
Resolution
Change the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml ownership to root:root
Ensure that the etcd pod specification file permissions are set to 600 or more restrictive
| Property | |
|---|---|
| Language | |
| Severity | |
Description
Ensure that the etcd pod specification file has permissions of 600 or more restrictive.
Resolution
Change the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml permissions of 600 or more restrictive
Ensure that the expiration date is set on all keys
| Property | |
|---|---|
| Language | |
| Severity |  |
| Service | keyvault |
| Provider | Azure |
| Vulnerability Type | omission |
Description
Vault keys are created without an expiration date, allowing them to remain valid indefinitely. This increases the risk that old or unused keys continue to provide access beyond their intended lifecycle.
Impact
Keys without expiration dates can be exploited if compromised, as they never become inactive. This prolonged validity expands the attack surface, making it easier for attackers to use stolen or forgotten keys to access sensitive data or resources.
Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
| Property | |
|---|---|
| Language | |
| Severity |  |
Description
Ensure that the Kubelet is configured to only use strong cryptographic ciphers.
Resolution
If using a Kubelet config file, edit the file to set TLSCipherSuites
Ensure that the kubelet service file ownership is set to root:root
| Property | |
|---|---|
| Language | |
| Severity | |
Description
Ensure that the kubelet service file ownership is set to root:root.
Resolution
Change the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf ownership to root:root
Ensure that the kubelet service file permissions are set to 600 or more restrictive
| Property | |
|---|---|
| Language | |
| Severity | |
Description
Ensure that the kubelet service file has permissions of 600 or more restrictive.
Resolution
Change the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf permissions of 600 or more restrictive
Ensure that the Kubernetes PKI certificate file permission is set to 600
| Property | |
|---|---|
| Language | |
| Severity | |
Description
The Kubernetes PKI certificate files have permissions set to allow access by users other than the file owner, rather than being restricted to 600. This misconfiguration exposes sensitive certificate data to unauthorized users on the system.
Impact
If exploited, unauthorized local users could read or copy Kubernetes PKI certificates, enabling them to impersonate cluster components, intercept secure communications, or escalate privileges within the cluster, potentially compromising the entire Kubernetes environment.
Ensure that the Kubernetes PKI directory and file file ownership is set to root:root
| Property | |
|---|---|
| Language | |
| Severity | |
Description
Ensure that the Kubernetes PKI directory and file file ownership is set to root:root.
Resolution
Change the Kubernetes PKI directory and file file /etc/kubernetes/pki/ ownership to root:root
Ensure that the Kubernetes PKI key file permission is set to 600
| Property | |
|---|---|
| Language | |
| Severity | |
Description
Ensure that the Kubernetes PKI key file permission is set to 600.
Resolution
Change the Kubernetes PKI key file /etc/kubernetes/pki/*.key permission to 600
Ensure that the RotateKubeletServerCertificate argument is set to true
| Property | |
|---|---|
| Language | |
| Severity |  |
Description
The kube-controller-manager is not configured to enable automatic rotation of kubelet server certificates. Without this setting, kubelet certificates are not automatically renewed, which can lead to the use of outdated or compromised credentials.
Impact
If certificate rotation is not enabled, expired or potentially compromised kubelet server certificates may remain in use, increasing the risk of unauthorized access or disruption of secure communication within the Kubernetes cluster.