---
title: The kubeconfig file should have permissions set to 644 or more restrictive
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > The kubeconfig file should have
  permissions set to 644 or more restrictive
---

> For the complete documentation index, see [llms.txt](https://docs.datadoghq.com/llms.txt).

# The kubeconfig file should have permissions set to 644 or more restrictive
 
## Description{% #description %}

AWS EKS worker node kubeconfig files should have permissions set to `644` or more restrictive. The kubelet kubeconfig file contains authentication credentials the kubelet uses to connect to the Kubernetes API server, so restricting write access to administrators preserves the integrity of the kubelet configuration and reduces the risk of malicious alterations that could compromise the cluster.

## Remediation{% #remediation %}

On each worker node, run the following command (adjusting the path to the kubeconfig file location on your system) to restrict the file permissions. See the [Kubernetes cluster hardening documentation](https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/) for more detail.

```bash
chmod 644 /var/lib/kubelet/kubeconfig
```

**Note**: The path above is the default location in EKS.

## References{% #references %}

- [Kubernetes cluster hardening documentation](https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/)
- [Amazon EKS user guide](https://docs.aws.amazon.com/eks/latest/userguide/security.html)
- [CIS Amazon EKS Benchmark](https://www.cisecurity.org/benchmark/kubernetes)
