Ensure that the Kubernetes PKI certificate file permission is set to 600
| Property | |
|---|---|
| Language |  |
| Severity |  |
Description#
The Kubernetes PKI certificate files have permissions set to allow access by users other than the file owner, rather than being restricted to 600. This misconfiguration exposes sensitive certificate data to unauthorized users on the system.
Impact#
If exploited, unauthorized local users could read or copy Kubernetes PKI certificates, enabling them to impersonate cluster components, intercept secure communications, or escalate privileges within the cluster, potentially compromising the entire Kubernetes environment.
Resolution#
Change the Kubernetes PKI certificate file /etc/kubernetes/pki/*.crt permission to 600