diff --git a/pkg/webhook/controlplane/ensurer.go b/pkg/webhook/controlplane/ensurer.go
index 17bd775b..5d2a1c49 100644
--- a/pkg/webhook/controlplane/ensurer.go
+++ b/pkg/webhook/controlplane/ensurer.go
@@ -20,6 +20,7 @@ import (
 	"github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal/helper"
 	"github.com/metal-stack/gardener-extension-provider-metal/pkg/imagevector"
 	"github.com/metal-stack/gardener-extension-provider-metal/pkg/metal"
+	"github.com/metal-stack/metal-lib/pkg/pointer"
 
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -219,3 +220,23 @@ func (e *ensurer) EnsureMachineControllerManagerVPA(_ context.Context, _ gcontex
 	)
 	return nil
 }
+
+func (e *ensurer) EnsureAdditionalFiles(ctx context.Context, gctx gcontext.GardenContext, new, old *[]extensionsv1alpha1.File) error {
+	if new == nil {
+		return nil
+	}
+
+	var files []extensionsv1alpha1.File
+	for _, f := range *new {
+		if f.Path == "/var/lib/kubelet/config/kubelet" {
+			// for cis benchmark this needs to be 600
+			f.Permissions = pointer.Pointer(int32(0600))
+		}
+
+		files = append(files, f)
+	}
+
+	*new = files
+
+	return nil
+}