Hi,
Some K8s hardening recommendations suggest the files of the systemd services to have 600 permissions. In particular I would like to have for example the file /etc/systemd/system/snap.k8s.kubelet.service with 600 permissions. Is there a “correct” to configure this?
Thanks
Service files are written by snapd. Can you clarify what you want to achieve by changing the permissions to 0600?
As part of hardening Kubernetes we need to comply with a number of recommendations. One set of such recommendations comes from [1]. The CIS recommendation 4.1.1 states “Ensure that the kubelet service file permissions are set to 600 or more restrictive”. The kubelet service is a systemd service whose file is created by snapd with permissions 644. The manual approach of changing the service file permissions we suggest in the case of MicroK8s is not so great [2]. What is the proper way to handle this?
Thank you for the quick reply.
Those recommendations are confusing since:
lis 12 12:09:02 galeon systemd[1]: Configuration file
/etc/systemd/system/snap.lxd.daemon.service is marked world-inaccessible.
This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
There are hardening recommendations for other parts of the system. At this point we are only looking at the CIS hardening for K8s. There might be other recommendations for systemd.
I think those need to be taken with a grain of salt. As I demonstrated above, unless systemd is patched to disallow that that recommendation alone isn’t as useful.
Keep note, that even if you change the file permissions manually, you will have to repeat that step each time microk8s snap is refreshed. You can consult snapd docs, see https://snapcraft.io/docs/managing-updates