Profile Applicability:
 • Level 1

Description:
 If the kubelet is running, ensure that the ownership of its kubeconfig file is set to root:root. This ownership protects the file from unauthorized modification and ensures only privileged users can alter its configuration.

Rationale:
 The kubelet kubeconfig file controls various parameters for the kubelet service in the worker node. Setting its file ownership to root:root helps maintain the integrity and security of the file, preventing unauthorized changes that could lead to cluster compromise.

Impact:
 Pros:

  • Prevents unauthorized users from modifying sensitive configuration files.

  • Helps maintain compliance with least privilege access standards.

  • Strengthens node-level security posture.

Default Value:
 The default ownership setting may vary depending on the base AMI or OS image used. Refer to AWS EKS documentation for default image behavior.

Pre-requisites:

  • SSH or Systems Manager access to worker nodes.

  • Permissions to inspect and modify file ownership on the node file system.

  • Privileged pod access if using Kubernetes-native methods.

Remediation

Test Plan:

Using AWS Console:

  1. Navigate to Amazon EC2 > Instances.

  2. Select a worker node and connect using Session Manager or EC2 Connect.

  3. Verify that the kubelet service is running:

    • sudo systemctl status kubelet

  4. Identify the path of the kubeconfig file:

    • ps -ef | grep kubelet

  5. Run the following command to check file ownership:

    • stat -c %U:%G /var/lib/kubelet/kubeconfig

  6. Confirm that the output is root:root.

Using AWS CLI:

  1. Create a privileged pod to inspect the host’s filesystem.

  2. Enter the pod and check file ownership of the kubeconfig file.

kubectl apply -f file-check-pod.yaml
kubectl exec -it file-check -- sh
ls -l /host/var/lib/kubelet/kubeconfig

Implementation Plan

Using AWS Console:

  1. Open a shell into the worker node using Session Manager or EC2 Connect.

  2. Change the file ownership of the kubeconfig file to root:root using chown.

Using AWS CLI:

  1. SSH into the worker node or use Session Manager.

  2. Run the following command to update ownership:

    chown root:root /var/lib/kubelet/kubeconfig

Backout Plan

Using AWS Console:

  1. Connect to the node using Session Manager.

  2. If needed, revert to the previous file owner based on operational requirements using chown.

Using AWS CLI:

  1. Revert ownership to the previous user/group if necessary:

    chown <previous_user>:<previous_group> /var/lib/kubelet/kubeconfig

References:

  1. Kubernetes Kube-Proxy and Kubeconfig Documentation