Fix credential exposure in kubeconfig file permissions, azcmagent argv, and log file handling#145
Merged
Fix credential exposure in kubeconfig file permissions, azcmagent argv, and log file handling#145
Conversation
Kubeconfig files contain sensitive credentials (AZURE_CLIENT_SECRET in SP mode, bootstrap token in bootstrap-token mode). Writing them world-readable (0644) allowed any local user or hostPath-mounted container to read them. Changed to 0600 to match CIS Kubernetes Benchmark 4.1.5/4.1.9 and the kubeadm code path which already uses 0600.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
bcho
force-pushed
the
hbc/fix-medium-findings
branch
from
8437905 to
62cc6d1
Compare
bcho
force-pushed
the
hbc/fix-medium-findings
branch
from
62cc6d1 to
c79164a
Compare
azcmagent only supports --access-token via argv, which exposes the token through /proc/<pid>/cmdline to all local users. The token is short-lived (~60 minutes) which limits the window, but it is still observable during registration. Document this as a known limitation with a pointer to alternative auth methods (service principal certificate, Azure CLI).
bcho
force-pushed
the
hbc/fix-medium-findings
branch
from
c79164a to
55bfa1c
Compare
bcho
force-pushed
the
hbc/fix-medium-findings
branch
from
55bfa1c to
c392f8e
Compare
bcho
force-pushed
the
hbc/fix-medium-findings
branch
from
c392f8e to
897e90b
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR aims to harden node security by reducing credential exposure vectors in kubelet kubeconfigs, Azure Arc registration, and agent log file handling.
Changes:
- Tighten kubelet kubeconfig and bootstrap-kubeconfig permissions from
0644to0600. - Adjust Arc registration code around access-token handling (but the token is still passed via argv in the current diff).
- Remove the prior log-file permission “fix” behavior and change the log open call (but the actual on-disk log file mode is still set at creation time elsewhere).
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
components/kubelet/v20260301/kubelet_config.go |
Writes kubelet kubeconfig + bootstrap kubeconfig with 0600 to reduce credential exposure. |
components/arc/v20260301/arc_registration.go |
Adds commentary/TODOs about argv token exposure; current code still appends --access-token to args. |
pkg/logger/logger.go |
Removes chmod-based fallback and changes the OpenFile mode argument (though without O_CREATE, this won’t change file permissions). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
bcho
force-pushed
the
hbc/fix-medium-findings
branch
from
897e90b to
684618d
Compare
…back The agent runs as root, so if it cannot open its own log file, chmod/chown workarounds won't help — just fail. Removed the fallback that ran chmod 666 which made the log world-writable. Now opens with 0600 and returns the error directly on failure.
bcho
force-pushed
the
hbc/fix-medium-findings
branch
from
684618d to
a98c0c6
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
wenxuan0923
approved these changes
Apr 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
/proc/cmdlineexposure as a known limitation ofazcmagentchmod 666log file fallback — open with 0600 and fail on errorKubelet kubeconfig file permissions (
kubelet_config.go)ensureKubeletKubeconfig()andensureBootstrapKubeconfig()wrote credential-bearing files with mode 0644 (world-readable). In SP mode the kubeconfig embedsAZURE_CLIENT_SECRETin the exec env block; in bootstrap-token mode it contains the raw<id>.<secret>token. Changed both to 0600, matching the kubeadm code path (components/kubeadm/v20260301/join.go) and CIS Kubernetes Benchmark 4.1.5/4.1.9.ARM token on azcmagent command line (
arc_registration.go)addAuthenticationArgs()passes--access-token <jwt>on the command line, making the token visible via/proc/<pid>/cmdlineto all local users. After researching the azcmagent connect docs,azcmagentdoes not support reading the token from stdin or environment variables —--access-tokenon argv is the only option. The token is short-lived (~60 minutes) which limits the exposure window. Added a TODO documenting this limitation and a follow-up to investigate whetherazcmagentcan discover auth settings on its own (e.g.--use-azclior VM MSI) to avoid passing tokens on the command line entirely.Log file permission fallback (
logger.go)When opening the log file hit EACCES, the agent ran
chmod 666to make it world-writable. Since the agent runs as root, this fallback was both unnecessary and insecure. Removed the workaround entirely — now opens with 0600 and returns the error on failure.