iCompaas Support

Profile Applicability:

• Level 1
  

Description:

Ensure that the ownership of the API server pod specification file is set to root:root, meaning that both the owner and the group of the file are set to root. This configuration helps in maintaining proper access control and preventing unauthorized modifications to the file.

Rationale:

Setting the ownership of the API server pod specification file to root:root ensures that only the root user and group have access to the file, thereby enhancing security and minimizing the risk of unauthorized users modifying the configuration, which could lead to potential security breaches.

Impact:

Pros:

• Increases the security of the Kubernetes environment by restricting access to critical configuration files.
  

• Helps in maintaining the integrity of the API server pod configuration.
  

Cons:

• If file ownership is misconfigured, it could impact the ability to perform updates or maintenance unless the permissions are corrected.
  

Default Value:

Pod specification files are not configured by default to have ownership set to root:root. Manual configuration is required.

Pre-Requisites:

• Access to the pod specification file.
  

• Sufficient privileges (root or administrator access) to modify file ownership.
  

• Kubernetes environment configured with secure file management practices.
  

Remediation:

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Open the Amazon Elastic Kubernetes Service (EKS) console.
   

3. Navigate to the "Workloads" section and locate the API server pod.
   

4. Check the ownership of the API server pod specification file to ensure it is set to root:root.
   

5. Verify that the file ownership is correctly applied to avoid unauthorized access.
   

Using AWS CLI:

Use the following command to check the file ownership of the API server pod specification file:

kubectl exec -it <api-server-pod-name> -- ls -l /etc/kubernetes/manifests/

Ensure that the file ownership is set to root:root. If not, run the following command to correct it:

sudo chown root:root /etc/kubernetes/manifests/<api-server-pod-file>

Implementation Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Open the EKS service and navigate to the "Workloads" section.
   

3. Locate the API server pod and review the ownership of the pod specification file.
   

4. If the ownership is not set to root:root, modify it by accessing the pod and changing the ownership to root:root.
   

Using AWS CLI:

Identify the pod name:

kubectl get pods --namespace=kube-system

Access the pod and check the file ownership:

kubectl exec -it <api-server-pod-name> -- ls -l /etc/kubernetes/manifests/

If needed, change the file ownership:

sudo chown root:root /etc/kubernetes/manifests/<api-server-pod-file>

Backout Plan:

Using AWS Console:

1. Sign in to the AWS Console.
   

2. Navigate to the Kubernetes environment.
   

3. Locate the API server pod and open the pod specification file.
   

4. Modify the file ownership if needed to ensure that the ownership matches the required security settings.
   

5. Confirm that the ownership changes are applied as expected.
   

Using AWS CLI:

To revert the file ownership to a less secure setting, run the following command:

sudo chown <user>:<group> /etc/kubernetes/manifests/<api-server-pod-file>

References:

• Kubernetes Best Practices for Pod Security
  AWS EKS Documentation