The Kubernetes etcd must have file permissions set to 644 or more restrictive.

STIG ID: CNTR-K8-003260  |  SRG: SRG-APP-000516-CTR-001335 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-242459

Vulnerability Discussion

The Kubernetes etcd key-value store provides a way to store data to the Control Plane. If these files can be changed, data to API object and Control Plane would be compromised.

Check

Review the permissions of the Kubernetes etcd by using the command:

ls -AR /var/lib/etcd/*

If any of the files have permissions more permissive than "644", this is a finding.

Fix

Change the permissions of the manifest files to "644" by executing the command:

chmod -R 644 /var/lib/etcd/*
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.