Profile Applicability:
 • Level 1

Description:
 Ensure that if the kubelet refers to a configuration file with the --config argument, that file has permissions of 644 or more restrictive. The kubelet reads critical parameters from this file including security settings, making it a key configuration element.

Rationale:
 The kubelet configuration file defines various kubelet operational and security parameters. Restricting access by setting the proper file permissions ensures the integrity of these settings and prevents unauthorized modifications that could weaken node-level security.

Impact:
 Pros:

  • Protects sensitive configuration parameters from unauthorized changes.

  • Reduces the risk of misconfiguration that can compromise node and cluster security.

  • Enforces best practices in file-level security management.

Default Value:
 Default permissions may vary depending on the operating system and AMI. Refer to AWS EKS or distribution-specific documentation.

Pre-requisites:

  • SSH or Systems Manager access to worker nodes.

  • Permissions to inspect kubelet process flags and access local file systems.

  • Optional access via privileged Kubernetes pod for remote inspection.

Remediation

Test Plan:

Using AWS Console:

  1. Navigate to Amazon EC2 > Instances and connect to a worker node via Session Manager or EC2 Connect.

  2. Confirm kubelet is running:

    • sudo systemctl status kubelet

  3. Identify the kubelet config file path:

    • ps -ef | grep kubelet

  4. Check the file permissions:

    • stat -c %a /etc/kubernetes/kubelet/config.json

  5. Confirm the permission is 644 or more restrictive.

Using AWS CLI:

  1. Deploy a privileged pod on the cluster.

  2. Enter the pod and check file permissions.

kubectl apply -f file-check-pod.yaml
kubectl exec -it file-check -- sh
ls -l /host/etc/kubernetes/kubelet/config.json

Implementation Plan

Using AWS Console:

  1. Connect to the node using EC2 Instance Connect or Session Manager.

  2. Locate the kubelet configuration file path as identified via the --config argument.

  3. Run chmod to update permissions to 644.

Using AWS CLI:

  1. Connect to the worker node.

  2. Run the following command to apply correct permissions:

    chmod 644 /etc/kubernetes/kubelet/config.json

Backout Plan

Using AWS Console:

  1. Access the node using Session Manager.

  2. Adjust file permissions back to the original configuration if required.

Using AWS CLI:

  1. Revert to previous file permissions if needed:

    chmod <previous_permissions> /etc/kubernetes/kubelet/config.json

References:

  1. Kubelet Config File Documentation