Getting repeated warnings about world-readable systemd unit file

[kasadaamos]

Image I'm using:

bottlerocket-aws-k8s-1.29-aarch64-v1.21.1-82691b51

What I expected to happen:
No redundant warning about a world-inaccessible config file

What actually happened:
Many warnings like:

Configuration file /etc/systemd/system/kubelet.service.d/exec-start.conf is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.

How to reproduce the problem:

Run an EKS cluster using this Bottlerocket image, watch the host logs.

More details:

{"boot_id":"54306ba6143342c9a683221a563241db","machine_id":"ec258b354ecd6678370da8983e1ce9e8","runtime_scope":"system","priority":"4","syslog_facility":"3","syslog_identifier":"systemd","uid":"0","gid":"0","tid":"1","transport":"journal","pid":"1","comm":"systemd","exe":"/aarch64-bottlerocket-linux-gnu/sys-root/usr/lib/systemd/systemd","cmdline":"/sbin/init systemd.log_target=journal-or-kmsg systemd.log_color=0 systemd.show_status=true","cap_effective":"1ffffffffff","selinux_context":"system_u:system_r:init_t:s0","systemd_cgroup":"/init.scope","systemd_unit":"init.scope","systemd_slice":"-.slice","hostname":"ip-10-66-149-96.ap-southeast-2.compute.internal","code_file":"src/basic/fs-util.c","code_line":"336","code_func":"stat_warn_permissions","message":"Configuration file /etc/systemd/system/kubelet.service.d/exec-start.conf is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.","source_realtime_timestamp":"1725347904330246","cluster":"dev-apse2-main","cloud":{"region":"ap-southeast-2"}}

[yeazelm]

Hello @kasadaamos, thanks for cutting this issue. I noticed a few messages in my journal with this message as well but it only happens twice and doesn't repeat.

This looks to be due to /etc/systemd/system/kubelet.service.d/exec-start.conf being mode 600 (-rw-------). This is being set with this configuration: https://github.com/bottlerocket-os/bottlerocket/blob/develop/sources/shared-defaults/kubernetes-services.toml#L53 and is a result of the CIS Benchmark work done last year. It still shows as compliant when set as 644:

$ apiclient report cis-k8s
Benchmark name:  CIS Kubernetes Benchmark (Worker Node)
Version:         v1.8.0
Reference:       https://www.cisecurity.org/benchmark/kubernetes
Benchmark level: 1
Start time:      2024-09-04T03:57:03.259560484Z
[PASS] 4.1.1     Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automatic)
...

I think we just locked this one down a bit more than strictly required. I'll see if it is a quick change we can make to avoid these messages. Thanks again for the report!