Profile Applicability:

  • Level 1

Description:

Ensure that the file permissions for the scheduler pod specification file are set to 600 or more restrictive. This ensures that only the root user or authorized service accounts have access to the file, preventing unauthorized users from reading, modifying, or executing the file.

Rationale:

Restricting the file permissions for the scheduler pod specification file to 600 or more ensures that sensitive configurations related to the scheduler are not accessible to unauthorized users. This helps maintain the integrity of the Kubernetes scheduler and prevents potential misuse.

Impact:

Pros:

  • Improves security by preventing unauthorized access or modifications to the scheduler pod specification file.

  • Helps maintain the integrity of Kubernetes configurations and reduces the attack surface.

Cons:

  • If file access is too restrictive, it may cause issues with necessary operations or troubleshooting.

Default Value:

By default, the scheduler pod specification file may not have strict file permissions. Manual configuration is required to ensure the permissions are set to 600 or more restrictive.

Pre-Requisites:

  • Access to the scheduler pod specification file.

  • Sufficient privileges (root or administrator access) to modify file permissions.

  • A Kubernetes environment configured with secure file management practices.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the Amazon Elastic Kubernetes Service (EKS) console.

  3. Navigate to the "Workloads" section and locate the scheduler pod.

  4. Check the file permissions for the scheduler pod specification file to ensure it is set to 600 or more restrictive.

  5. Verify that only authorized users (e.g., root) have access to the file.

Using AWS CLI:

Use the following command to check the file permissions for the scheduler pod specification file:

kubectl exec -it <scheduler-pod-name> -- ls -l /etc/kubernetes/manifests/

Ensure that the file permissions are set to 600 or more restrictive. If not, run the following command to set the permissions:

sudo chmod 600 /etc/kubernetes/manifests/<scheduler-pod-file>

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the EKS service and navigate to the "Workloads" section.

  3. Locate the scheduler pod and review the file permissions for the pod specification file.

  4. If the permissions are not set to 600 or more restrictive, modify the file permissions by accessing the pod and updating the permissions.

Using AWS CLI:

Identify the pod name:

kubectl get pods --namespace=kube-system

Access the pod and check the file permissions:

kubectl exec -it <scheduler-pod-name> -- ls -l /etc/kubernetes/manifests/

If needed, change the file permissions:

sudo chmod 600 /etc/kubernetes/manifests/<scheduler-pod-file>

Backout Plan:

Using AWS Console:

  1. Sign in to the AWS Console.

  2. Open the Kubernetes environment.

  3. Locate the scheduler pod and review the pod specification file.

  4. Modify the file permissions to ensure that they meet the required security standards.

  5. Confirm that the permissions are correctly applied.

Using AWS CLI:

To revert the file permissions to a less restrictive setting, run the following command:

sudo chmod 644 /etc/kubernetes/manifests/<scheduler-pod-file>

References: