Risks

Protecting Important Directories in a Kubernetes Cluster

Restricting Access to Directories and Configmaps

The Kubeconfig, Kubeletconfig, and Kubeadmconfig contain important information about the cluster.       

Apart from information gathering, modifying these configs can paralyze the cluster.

By default, the following directories contain important information about the cluster:

  • /etc/kubernetes/
  • /var/lib/kubelet/
  • /etc/sysconfig/kubelet
  • $HOME/./kube/config.yaml

These directories are only relevant for troubleshooting. Therefore, non-admin users should not have any access rights to these paths. Since all paths are immediately visible with "systemctl cat kubelet", "systemctl" should only be accessible to admins of the cluster. Furthermore, these directories are mounted in the corresponding pods by configmaps in the kube-system namespace. Therefore, access to the configmaps should also be restricted to the kube-system namespace.

Any Questions?

Please feel free to contact us for any question that is not answered yet. 

We are looking forward to get in contact with you!

Design Escapes

KubeOps GmbH
Hinter Stöck 17
72406 Bisingen
Germany

  • Telefon:

    +49 7433 93724 90

  • Mail:

    This email address is being protected from spambots. You need JavaScript enabled to view it.

Download Area
Certified as

KubeOps GmbH is the owner of the Union trademark KubeOps with the registration number 018305184. 

© KubeOps GmbH. All rights reserved. Subsidiary of