Kubernetes configuration file is group-readable

[bjt-user]

Normally when you try to execute helm commands as a normal user you will get permission denied, because the config file is owned by root and not readable:

$ helm list
Error: Kubernetes cluster unreachable: error loading config file "/etc/rancher/k3s/k3s.yaml": open /etc/rancher/k3s/k3s.yaml: permission denied

The only solution to have a config file that all users can use that I see:

sudo chmod 644 /etc/rancher/k3s/k3s.yaml

But then you get these warnings:

WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /etc/rancher/k3s/k3s.yaml
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /etc/rancher/k3s/k3s.yaml

I do not understand the logic here.
How can I use a k3s config file for all users and be able to use helm without warnings?

[mattfarina]

The warning was added after a 3rd party security audit.

In recent versions of Helm the warning is no longer present because:

• There are many situations where the configuration is group or world readable (e.g., being mounted as a secret in a container)
• Other k8s based tooling does not provide this message
• This is a separation of concerns as Helm does not manage the kubeconfig file

If you upgrade to a newer version of Helm you will find the message should be gone.

[bjt-user]

Hello Matt,

thank you for the response.

The issue is still present in the latest version v3.16.1:

$ linux-amd64/helm version
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /etc/rancher/k3s/k3s.yaml
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /etc/rancher/k3s/k3s.yaml
version.BuildInfo{Version:"v3.16.1", GitCommit:"5a5449dc42be07001fd5771d56429132984ab3ab", GitTreeState:"clean", GoVersion:"go1.22.7"}

Let's hope it will be fixed in 3.16.2.

[mattfarina]

Doh. I thought this had been removed. We agreed to remove these lines but it appears we did not make the necessary change. I'll look into doing that.