iCompaas Support

Profile Applicability:

• Level 1

Description:

Ensure that the file permissions for the API server pod specification file are set to 600 or more restrictive, ensuring that only the root user or service account has access to the file, thereby enhancing security and preventing unauthorized access.

Rationale:

Restricting file permissions on sensitive pod specification files prevents unauthorized users or processes from reading, modifying, or executing the configuration, ensuring the integrity of the pod configuration and minimizing potential attack vectors.

Impact:

Pros:

• Increases security by limiting access to the pod specification file.
  

• Helps prevent unauthorized access or tampering with critical configurations.
  

Cons:

• Could lead to operational issues if file access is improperly restricted, especially during automated updates or troubleshooting.
  

Default Value:

Pod specification files are not configured by default to have strict file permissions. Manual configuration is required.

Pre-Requisites:

• Access to the pod specification file.
  

• Sufficient privileges (root or administrator access) to modify file permissions.
  

• Kubernetes environment configured for secure pod management.
  

Remediation:

Test Plan:

Using AWS Console:

1. Sign in to the AWS management console
   

2. Open the Amazon Elastic Kubernetes Service (EKS) console.
   

3. Navigate to the "Workloads" section and locate the API server pod.
   

4. Check the file permissions for the API server pod specification file to ensure it is set to 600 or more restrictive.
   

5. Verify that only authorized users have access to the file.
   

Using AWS CLI:

Use the following command to check the file permissions for the API server pod specification file:

kubectl exec -it <api-server-pod-name> -- ls -l /etc/kubernetes/manifests/

Ensure that the file permissions for the pod specification file are set to 600 or more restrictive. If not, run the following command to set the permissions:

sudo chmod 600 /etc/kubernetes/manifests/<api-server-pod-file>

Implementation Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Navigate to the EKS service.
   

3. Open the "Workloads" section and locate the API server pod.
   

4. Review the file permissions for the pod specification file.
   

5. If the permissions are not set to 600 or more restrictive, modify the file permissions using SSH or a Kubernetes management tool.
   

Using AWS CLI:

Identify the pod name:

kubectl get pods --namespace=kube-system

Access the pod and check the file permissions:

kubectl exec -it <api-server-pod-name> -- ls -l /etc/kubernetes/manifests

If needed, change the file permissions:

sudo chmod 600 /etc/kubernetes/manifests/<api-server-pod-file>

Backout Plan:

Using AWS Console:

1. Sign in to the AWS Console.
   

2. Navigate to the Kubernetes environment.
   

3. Locate the API server pod and open the pod specification file.
   

4. Modify the file permissions to ensure that they meet the required security standards.
   

5. Confirm that access restrictions are appropriately applied.
   

Using AWS CLI:

To revert the file permissions to less restrictive settings, run the following command:

sudo chmod 644 /etc/kubernetes/manifests/<api-server-pod-file>

References:

• Kubernetes Best Practices for Pod Security
  AWS EKS Documentation