Profile Applicability:
Level 1

Description:
 If the kubelet is running, and it is configured using a kubeconfig file, ensure that the file permissions are set to 644 or more restrictive. The kubeconfig file governs the kubelet’s communication with the Kubernetes control plane and should be securely maintained.

Rationale:
 The kubelet kubeconfig file controls various parameters of the kubelet service in the worker node. Restricting its file permissions helps prevent unauthorized modifications, preserving the integrity of the file and the security of the cluster. The file should be writable only by system administrators.

Impact:
 Pros:

  • Prevents unauthorized write access to a sensitive configuration file.

  • Reduces risk of cluster compromise due to kubelet misconfiguration.

  • Aligns with file security best practices.

Cons:

  • May restrict non-admin users from editing kubelet configurations quickly.

  • Could require changes to operational procedures or workflows.

Default Value:
 The default permission setting may vary depending on the AMI or OS image used. Refer to AWS EKS documentation for image-specific defaults.

Pre-requisites:

  • SSH access or privileged pod access to Kubernetes worker nodes.

  • Permissions to inspect kubelet processes and file system paths.

Remediation

Test Plan:

Using AWS Console:

  1. Navigate to Amazon EC2 > Instances.

  2. Select a worker node and connect via Session Manager or EC2 Instance Connect.

  3. Verify kubelet service is running:

    • sudo systemctl status kubelet

  4. Identify kubeconfig file path from running process:

    • ps -ef | grep kubelet

  5. Check the file permissions:

    • stat -c %a /var/lib/kubelet/kubeconfig

  6. Confirm it is set to 644 or more restrictive.

Using AWS CLI:

  1. Create a privileged pod to access host file system.

  2. Enter the pod shell and check kubeconfig permissions.

kubectl apply -f file-check-pod.yaml
kubectl exec -it file-check -- sh
ls -l /host/var/lib/kubelet/kubeconfig

Implementation Plan

Using AWS Console:

  1. Use EC2 Instance Connect or Session Manager to access the worker node.

  2. Locate the kubeconfig file path from the kubelet process.

  3. Change file permissions using chmod.

Using AWS CLI:

  1. SSH into each worker node or use SSM.

  2. Run the following command based on the kubeconfig file path:

chmod 644 /var/lib/kubelet/kubeconfig

Backout Plan

Using AWS Console:

  1. Reconnect to the instance via Session Manager or EC2 Connect.

  2. If needed, reset permissions to a previous state based on operational requirements (e.g., 600 or 640 if required by a specific configuration).

Using AWS CLI:

  1. Adjust permissions back to original configuration if required:

chmod 600 /var/lib/kubelet/kubeconfig

References:

  1. Kubernetes Kube-Proxy and Configuration Files