Profile Applicability:

  • Level 1

Description:

Ensure that the file permissions for the etcd pod specification file are set to 600 or more restrictive. This ensures that only the root user or authorized service accounts can access the file, preventing unauthorized access or modification.

Rationale:

Restricting file permissions to 600 or more ensures that only the root user or the designated service account has access to the etcd pod specification file. This protects the configuration file from tampering, ensuring the integrity of the etcd configuration and minimizing potential security risks.

Impact:

  • Pros:

    • Helps ensure that only authorized users can make changes to the etcd configuration.

    •  Enhances security by preventing unauthorized access or modification of critical etcd configuration files. 

  • Cons:

    • If file permissions are misconfigured, it could lead to operational issues, especially during updates or troubleshooting.

Default Value:

By default, the etcd pod specification file may not have restrictive file permissions. Manual configuration is required to set the permissions to 600 or more restrictive.

Pre-Requisites:

  • Access to the etcd pod specification file

  • Sufficient privileges (root or administrator access) to modify file permissions.

  • A Kubernetes environment configured with secure file management practices.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the Amazon Elastic Kubernetes Service (EKS) console.

  3. Navigate to the "Workloads" section and locate the etcd pod.

  4. Check the file permissions for the etcd pod specification file to ensure it is set to 600 or more restrictive.

  5. Verify that only authorized users (root or service account) have access to the file.

Using AWS CLI:

Use the following command to check the file permissions for the etcd pod specification file:

kubectl exec -it <etcd-pod-name> -- ls -l /etc/kubernetes/manifests/

Ensure that the file permissions are set to 600 or more restrictive. If not, run the following command to set the permissions:

sudo chmod 600 /etc/kubernetes/manifests/<etcd-pod-file>

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the EKS service and navigate to the "Workloads" section.

  3. Locate the etcd pod and review the file permissions for the pod specification file.

  4. If the permissions are not set to 600 or more restrictive, modify the file permissions by accessing the pod and updating the permissions.

Using AWS CLI:

Identify the pod name:

kubectl get pods --namespace=kube-system

Access the pod and check the file permissions:

kubectl exec -it <etcd-pod-name> -- ls -l /etc/kubernetes/manifests/

If needed, change the file permissions:

sudo chmod 600 /etc/kubernetes/manifests/<etcd-pod-file>

Backout Plan:

Using AWS Console:

  1. Sign in to the AWS Console.

  2. Open the Kubernetes environment.

  3. Locate the etcd pod and review the pod specification file.

  4. Modify the file permissions to ensure that they meet the required security standards.

  5. Confirm that the permissions are correctly applied.

Using AWS CLI:

To revert the file permissions to a less restrictive setting, run the following command:

sudo chmod 644 /etc/kubernetes/manifests/<etcd-pod-file>

References: