Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Check 4.17 #1305

Open
SeryioGonzalez opened this issue Oct 15, 2022 · 1 comment
Open

Check 4.17 #1305

SeryioGonzalez opened this issue Oct 15, 2022 · 1 comment

Comments

@SeryioGonzalez
Copy link

Check 4.1.7 is based on flag --ca-file, but CA FILE can be passed in kubelet-config.yaml

@andypitcher
Copy link
Contributor

@SeryioGonzalez not sure which version of CIS you were referring to, but in general check 4.1.7 Ensure that the certificate authorities file permissions are set to 6XX or more restrictive (Manual), has two possible conditions:

  1. Either $CAFILE path is retrieved through the running process definition, with --client-ca-file=.
  2. Or $CAFILE value is retrieved from the configmap variable $kubeletcafile, in case the former condition is not fulfilled.

My take is that it's better to validate the confs when they are loaded and used, however it might be relevant also to confirm where they originate from and test this origin (in your case kubelet-config.yaml).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants