Yaki does not set restrictive permissions (600) on kubelet service and config.yaml

[5th0]

Description

By default, Yaki does not apply restrictive permissions (600) on the following files:

• /lib/systemd/system/kubelet.service
• /var/lib/kubelet/config.yaml

Due to this, security compliance tests flag this issue:

kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/refs/heads/main/job-node.yaml

[FAIL] 4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)
[FAIL] 4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automated)

Expected Behavior

These files should have restrictive 600 permissions by default to align with security best practices.

Current Behavior

The permissions are set more openly, which could pose a security risk.

Workaround

Manually setting the 600 permissions on these files allows the test to pass without further issues:

chmod 600 /lib/systemd/system/kubelet.service
chmod 600 /var/lib/kubelet/config.yaml

Suggested Fix

Update Yaki to ensure that these files are created with 600 permissions by default.

Test

To verify the fix, execute the following command:

kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/refs/heads/main/job-node.yaml`

Then, check that the results include the following entries:

[PASS] 4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)
[PASS] 4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automated)

[bsctl]

@5th0 thank you for reporting that