Check for kubelet-config.json File Ownership

Risk Level: Medium (should be achieved)

Ensure that the kubelet-config.json file ownership is set to "root:root" as only the root user and group should be able to read or modify the kubelet-config.json configuration file. This prevents unauthorized changes to the Kubelet's operational parameters, thus maintaining the integrity and security of the worker node.

Security

The kubelet-config.json file defines the operating parameters for the Kubelet service on a Kubernetes cluster worker node. Because the Kubelet runs with elevated privileges, the kubelet-config.json file contains sensitive operational settings, and restricting ownership to "root:root" prevents unauthorized modification, reduces the risk of privilege escalation, and strengthens the node's overall security posture.

Audit

To determine the file ownership set for the kubelet-config.json file, perform the following operations:

Using OCI Console

Sign in to your Oracle Cloud Infrastructure (OCI) account.
Navigate to Kubernetes Clusters (OKE) console available at https://cloud.oracle.com/containers/clusters.
For Applied filters, choose an OCI compartment from the Compartment dropdown menu, to list the OCI Kubernetes Engine (OKE) clusters provisioned in the selected compartment.
Click on the name (link) of the OCI Kubernetes Engine (OKE) cluster that you want to examine, listed in the Name column.
Select the Node pools tab and click on the name (link) of the node pool that you want to examine.
Select the Nodes tab and click on the name (link) of the node (instance) that you want to examine.
Select the Details tab and choose Copy next to Public IP address, in the Instance access section, to get the public IP address of your OKE cluster node.
Use your preferred method to open an SSH connection to the selected cluster node. For the public IP address, use the IP address copied in the previous step. The default username is opc for Oracle Linux and Red Hat Enterprise Linux compatible images, as well as Windows platform images. For Ubuntu images, the default username is ubuntu. See Connecting to an Instance for more details.
Once connected to your OKE cluster worker node, run the commands listed below to determine the kubelet-config.json file ownership:
1. Run the following command to determine if the Kubelet service is running:
```
	sudo systemctl status kubelet
	
```
2. The command output should return Active: active (running).
3. Run the following command to find the kubelet-config.json file for your node:
```
	find / -name kubelet-config.json
	
```
4. The command output should return the location of the kubelet-config.json file, such as /etc/kubernetes/kubelet/kubelet-config.json.
5. Run the following command to obtain the kubelet-config.json file permissions:
```
	stat -c %U:%G /etc/kubernetes/kubelet/kubelet-config.json
	
```
6. The output should return the kubelet-config.json file's ownership. For compliance, the kubelet-config.json file ownership must be set to root:root.
Repeat steps no. 6 - 9 for each worker node running within the selected node pool.
Repeat steps no. 5 - 10 for each node pool created for the selected OKE cluster.

Using OCI CLI

Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:
```
oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'
```

The command output should return the requested OCI compartment identifiers (OCIDs):

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run ce cluster list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each OCI Kubernetes Engine (OKE) cluster available in the selected OCI compartment:
```
oci ce cluster list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'
```

The command output should return the requested OKE cluster IDs:

[
	"ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.cluster.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run ce node-pool list command (Windows/macOS/Linux) with the ID of the OKE cluster that you want to examine as the identifier parameter, to list the ID of each node pool created for your OKE cluster:

oci ce node-pool list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--cluster-id 'ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data[]."id"'

The command output should return the OKE node pool IDs:

[
	"ocid1.nodepool.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.nodepool.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run ce node-pool get command (Windows/macOS/Linux) to describe the public IP address of each worker node running within the selected OKE node pool:

oci ce node-pool get
	--node-pool-id 'ocid1.nodepool.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data.nodes[]."public-ip"'

The command output should return the public IP address of each OKE cluster worker node (instance):
```
[
	"<public-ip-node-1>",
	"<public-ip-node-2>",
	"<public-ip-node-3>"
]
```
Use your preferred method to open an SSH connection to your OKE cluster worker node. For the public IP address, use the IP address returned in the previous step. The default username is opc for Oracle Linux and Red Hat Enterprise Linux compatible images, as well as Windows platform images. For Ubuntu images, the default username is ubuntu. See Connecting to an Instance for more details.
Once connected to your OKE cluster node, run the commands listed below to determine the kubelet-config.json file ownership:
1. Run the following command to determine if the Kubelet service is running:
```
	sudo systemctl status kubelet
	
```
2. The output should return Active: active (running).
3. Run the following command to find the kubelet-config.json file for your node:
```
	find / -name kubelet-config.json
	
```
4. The command output should return the location of the kubelet-config.json file, such as /etc/kubernetes/kubelet/kubelet-config.json.
5. Run the following command to obtain the kubelet-config.json file permissions:
```
	stat -c %U:%G /etc/kubernetes/kubelet/kubelet-config.json
	
```
6. The output should return the kubelet-config.json file's ownership. For compliance, the kubelet-config.json file ownership must be set to root:root.
Repeat steps no. 9 and 10 for each worker node running within the selected node pool.
Repeat steps no. 7 - 11 for each node pool created for the selected OKE cluster.

Remediation / Resolution

To ensure the file ownership for the kubelet-config.json file on your OKE cluster worker nodes is set to **root:root**, perform the following operations:

Using OCI Console

Sign in to your Oracle Cloud Infrastructure (OCI) account.
Navigate to Kubernetes Clusters (OKE) console available at https://cloud.oracle.com/containers/clusters.
For Applied filters, choose an OCI compartment from the Compartment dropdown menu, to list the OCI Kubernetes Engine (OKE) clusters provisioned in the selected compartment.
Click on the name (link) of the OCI Kubernetes Engine (OKE) cluster that you want to configure, listed in the Name column.
Select the Node pools tab and click on the name (link) of the node pool that you want to access.
Select the Nodes tab and click on the name (link) of the node (instance) that you want to configure.
Select the Details tab and choose Copy next to Public IP address, in the Instance access section, to get the public IP address of your OKE cluster node.
Use your preferred method to open an SSH connection to the selected cluster node. For the public IP address, use the IP address copied in the previous step. The default username is opc for Oracle Linux and Red Hat Enterprise Linux compatible images, as well as Windows platform images. For Ubuntu images, the default username is ubuntu. See Connecting to an Instance for more details.
Once connected to your OKE cluster worker node, run the following command to set the file ownership for the kubelet-config.json file to root:root (recommended):
```
chown root:root /etc/kubernetes/kubelet/kubelet-config.json
```
Repeat steps no. 6 - 9 for each worker node running within the selected node pool.
Repeat steps no. 5 - 10 for each node pool deployed for the selected OKE cluster.

Using OCI CLI

Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:
```
oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'
```

The command output should return the requested OCI compartment identifiers (OCIDs):

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run ce cluster list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each OCI Kubernetes Engine (OKE) cluster available in the selected OCI compartment:
```
oci ce cluster list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'
```

The command output should return the requested OKE cluster IDs:

[
	"ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.cluster.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

oci ce node-pool list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--cluster-id 'ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data[]."id"'

The command output should return the OKE node pool IDs:

[
	"ocid1.nodepool.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.nodepool.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run ce node-pool get command (Windows/macOS/Linux) to describe the public IP address of each worker node running within the selected OKE node pool:

oci ce node-pool get
	--node-pool-id 'ocid1.nodepool.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data.nodes[]."public-ip"'

The command output should return the public IP address of each OKE cluster worker node (instance):
```
[
	"<public-ip-node-1>",
	"<public-ip-node-2>",
	"<public-ip-node-3>"
]
```
Use your preferred method to open an SSH connection to your OKE cluster worker node. For the public IP address, use the IP address returned in the previous step. The default username is opc for Oracle Linux and Red Hat Enterprise Linux compatible images, as well as Windows platform images. For Ubuntu images, the default username is ubuntu. See Connecting to an Instance for more details.
Once connected to your OKE cluster worker node, run the following command to set the file ownership for the kubelet-config.json file to root:root (recommended):
```
chown root:root /etc/kubernetes/kubelet/kubelet-config.json
```
Repeat steps no. 9 and 10 for each worker node running within the selected node pool.
Repeat steps no. 7 - 11 for each node pool deployed for the selected OKE cluster.

References

Oracle Cloud Infrastructure Documentation
Overview of Kubernetes Engine (OKE)
Managing Kubernetes Clusters
Connecting to an Instance

Oracle Cloud Infrastructure CLI Documentation
compartment list
cluster list
node-pool list
node-pool get

Publication date Dec 1, 2025

Audit

Using OCI Console

Using OCI CLI

Remediation / Resolution

Using OCI Console

Using OCI CLI

References

Related OCI-OKE rules