iCompaas Support

Profile Applicability:

• Level 1
  

Description:

Ensure that the file permissions for the controller manager pod specification file are set to 600 or more restrictive, meaning only the root user or the service account has access to the file. This is a security measure to prevent unauthorized users from accessing or modifying critical Kubernetes configurations.

Rationale:

Restricting file permissions to 600 or more restrictive on the controller manager pod specification file ensures that only authorized users (such as the root user or the Kubernetes service account) can access the file, thereby protecting it from unauthorized changes or tampering, which could compromise the cluster's security.

Impact:

Pros:

• Enhances security by ensuring only authorized users can access the pod specification file.
  

• Prevents unauthorized changes that could compromise the security of the Kubernetes control plane.
  

Cons:

• If file access is improperly restricted, it may lead to operational difficulties, especially during updates or troubleshooting.
  

Default Value:

The controller manager pod specification file does not have restrictive permissions set by default. It requires manual configuration to ensure proper access controls.

Pre-Requisites:

• Access to the controller manager pod specification file.
  

• Sufficient privileges (root or administrator access) to modify file permissions.
  

• Kubernetes environment configured with secure file management practices.
  

Remediation:

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Open the Amazon Elastic Kubernetes Service (EKS) console.
   

3. Navigate to the "Workloads" section and locate the controller manager pod.
   

4. Check the file permissions for the controller manager pod specification file to ensure it is set to 600 or more restrictive.
   

5. Verify that only authorized users have access to the file.
   

Using AWS CLI:

Use the following command to check the file permissions for the controller manager pod specification file:

kubectl exec -it <controller-manager-pod-name> -- ls -l /etc/kubernetes/manifests/

Ensure that the file permissions are set to 600 or more restrictive. If not, run the following command to set the permissions:

sudo chmod 600 /etc/kubernetes/manifests/<controller-manager-pod-file>

Implementation Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Navigate to the EKS service and open the "Workloads" section.
   

3. Locate the controller manager pod and review the file permissions for the pod specification file.
   

4. If the permissions are not set to 600 or more restrictive, modify the file permissions by accessing the pod and updating the permissions.
   

Using AWS CLI:

Identify the pod name:

kubectl get pods --namespace=kube-system

Access the pod and check the file permissions:

kubectl exec -it <controller-manager-pod-name> -- ls -l /etc/kubernetes/manifests/

If needed, change the file permissions:

sudo chmod 600 /etc/kubernetes/manifests/<controller-manager-pod-file>

Backout Plan:

Using AWS Console:

1. Sign in to the AWS Console.
   

2. Open the Kubernetes environment.
   

3. Locate the controller manager pod and review the pod specification file.
   

4. Modify the file permissions to ensure that they match the required security standards.
   

5. Confirm that the permissions are correctly applied.
   

Using AWS CLI:

To revert the file permissions to less restrictive settings, run the following command:

sudo chmod 644 /etc/kubernetes/manifests/<controller-manager-pod-file>

References:

• Kubernetes Best Practices for Pod Security
  AWS EKS Documentation