iCompaas Support

Profile Applicability:

• Level 1
  

Description:

Ensure that the ownership of the controller manager pod specification file is set to root:root. This ensures that only the root user and group have ownership and control over the file, reducing the risk of unauthorized access or modification.

Rationale:

Setting the ownership of the controller manager pod specification file to root:root ensures that the file is protected by restricting ownership to the root user and group, which is essential for maintaining the integrity and security of the Kubernetes control plane.

Impact:

Pros:

• Restricts access to sensitive Kubernetes configuration files to only trusted administrators (root).
  

• Enhances security by reducing the potential for unauthorized changes to the controller manager pod configuration.
  

Cons:

• If file ownership is misconfigured, it may result in issues during updates or system maintenance unless corrected.
  

Default Value:

The controller manager pod specification file is not configured by default to have ownership set to root:root. Manual configuration is required.

Pre-Requisites:

• Access to the controller manager pod specification file.
  

• Sufficient privileges (root or administrator access) to modify file ownership.
  

• A Kubernetes environment with proper file management practices.
  

Remediation:

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Open the Amazon Elastic Kubernetes Service (EKS) console.
   

3. Navigate to the "Workloads" section and locate the controller manager pod.
   

4. Check the ownership of the controller manager pod specification file to ensure it is set to root:root.
   

5. Verify that only authorized users (root) have ownership of the file.
   

Using AWS CLI:

Use the following command to check the file ownership for the controller manager pod specification file:

kubectl exec -it <controller-manager-pod-name> -- ls -l /etc/kubernetes/manifests/

Ensure that the file ownership is set to root:root. If not, run the following command to correct it:

sudo chown root:root /etc/kubernetes/manifests/<controller-manager-pod-file>

Implementation Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Open the EKS service and navigate to the "Workloads" section.
   

3. Locate the controller manager pod and review the ownership of the pod specification file.
   

4. If the ownership is not set to root:root, modify the file ownership by accessing the pod and updating the ownership to root:root.
   

Using AWS CLI:

Identify the pod name:

kubectl get pods --namespace=kube-system

Access the pod and check the file ownership:

kubectl exec -it <controller-manager-pod-name> -- ls -l /etc/kubernetes/manifests/

If needed, change the file ownership:

sudo chown root:root /etc/kubernetes/manifests/<controller-manager-pod-file>

Backout Plan:

Using AWS Console:

1. Sign in to the AWS Console.
   

2. Navigate to the Kubernetes environment.
   

3. Locate the controller manager pod and review the pod specification file.
   

4. Modify the file ownership to ensure that the ownership matches the required security settings.
   

5. Confirm that the ownership changes are applied as expected.
   

Using AWS CLI:

To revert the file ownership to a less secure setting, run the following command:

sudo chown <user>:<group> /etc/kubernetes/manifests/<controller-manager-pod-file>

References:

• Kubernetes Best Practices for Pod Security
  AWS EKS Documentation