[PSUPCLPL-13377] - Restrictive File permission for kubelet configuration file

[pranavcracker]

Description

• This change is to modify the file permission for kubelet configuration file (/var/lib/kubelet/config.yaml)

Fixes # (issue)
kube-bench identifier 4.1.9

Solution

• Set file permission for /var/lib/kubelet/config.yaml as 600 or more restrictive

Test Cases

TestCase 1

Steps:

1. Install kubenernetes cluster or run migrate_kubemarine on existing k8s cluster with latest kubemarine distribution
2. Download and install latest kube-bench on master and worker nodes -

• Download kube-bench_0.7.2_linux_amd64 package from https://github.com/aquasecurity/kube-bench
• Install downloaded pkg using sudo dpkg -i kube-bench_0.7.2_linux_amd64.deb

3. Run kube-bench

Results:

Before	After
[FAIL] 4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automated)	[PASS] 4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automated)

Checklist

• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• Integration CI passed
• There is no merge conflicts

Unit tests

Indicate new or changed unit tests and what they do, if any.

[ilia1243]

Although /var/lib/kubelet/config.yaml currently has 644 permissions, /var/lib/kubelet has 700. So the "effective" permissions for /var/lib/kubelet/config.yaml is 700 & 644 = 600. In particular, no user apart from root can read the file.
Can the above statement not always be true in our installation?

[pranavcracker]

Issue with inaccurate assessment for file permissions has been raised with kube-bench
aquasecurity/kube-bench#1598

[pranavcracker]

Closing this PR as we are not going to implement it at this moment.
We have raised an issue with kube-bench and we will track for it's status through aquasecurity/kube-bench#1598