Profile Applicability:

  • Level 1

Description:

Ensure that the ownership of the scheduler pod specification file is set to root:root. This ensures that only the root user and the root group have ownership of the file, reducing the risk of unauthorized access or modification.

Rationale:

Setting the ownership of the scheduler pod specification file to root:root ensures that the file is controlled by the root user and group. This enhances security by preventing unauthorized users or processes from altering critical configuration files that could compromise the integrity of the Kubernetes scheduler.

Impact:

  • Restricts access to the scheduler pod specification file to trusted administrators (root).

  • Prevents unauthorized modifications to the scheduler configuration, enhancing system security.

  • If file ownership is incorrectly set, it could cause issues during troubleshooting or operations, especially if ownership needs to be adjusted for automated updates.

Default Value:

  • The scheduler pod specification file is not configured by default to have ownership set to root:root. It requires manual configuration to ensure proper access control.

Pre-Requisites:

  • Access to the scheduler pod specification file.

  • Sufficient privileges (root or administrator access) to modify file ownership.

  • A Kubernetes environment configured with secure file management practices.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the Amazon Elastic Kubernetes Service (EKS) console.

  3. Navigate to the "Workloads" section and locate the scheduler pod.

  4. Check the ownership of the scheduler pod specification file to ensure it is set to root:root.

  5. Verify that only authorized users (root) have ownership of the file.

Using AWS CLI:

Use the following command to check the file ownership for the scheduler pod specification file:

kubectl exec -it <scheduler-pod-name> -- ls -l /etc/kubernetes/manifests/

Ensure that the file ownership is set to root:root. If not, run the following command to correct it:

sudo chown root:root /etc/kubernetes/manifests/<scheduler-pod-file>

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the EKS service and navigate to the "Workloads" section.

  3. Locate the scheduler pod and review the ownership of the pod specification file.

  4. If the ownership is not set to root:root, modify the file ownership by accessing the pod and updating the ownership to root:root.

Using AWS CLI:

Identify the pod name:

kubectl get pods --namespace=kube-system

Access the pod and check the file ownership:

kubectl exec -it <scheduler-pod-name> -- ls -l /etc/kubernetes/manifests/

If needed, change the file ownership:

sudo chown root:root /etc/kubernetes/manifests/<scheduler-pod-file>

Backout Plan:

Using AWS Console:

  1. Sign in to the AWS Console.

  2. Navigate to the Kubernetes environment.

  3. Locate the scheduler pod and review the pod specification file.

  4. Modify the file ownership to ensure that the ownership matches the required security settings.

  5. Confirm that the ownership changes are applied as expected.

Using AWS CLI:

To revert the file ownership to a less secure setting, run the following command:

sudo chown <user>:<group> /etc/kubernetes/manifests/<scheduler-pod-file>

References: