Profile Applicability:

  • Level 1

Description:

Ensure that the ownership of the etcd pod specification file is set to root:root. This ensures that only the root user and root group have ownership and control over the file, reducing the risk of unauthorized access or modification.

Rationale:

Setting the ownership of the etcd pod specification file to root:root ensures that only trusted administrators (root) can access and modify the file. This helps in maintaining the integrity and security of the etcd configuration, preventing unauthorized changes.

Impact:

Pros:

  • Enhances security by ensuring that only authorized users (root) have ownership and access to the etcd pod specification file.

  • Prevents unauthorized users or processes from tampering with the file.

Cons:

  • If file ownership is misconfigured, it could cause operational issues or difficulties during troubleshooting or updates.

Default Value:

The etcd pod specification file is not configured by default to have ownership set to root:root. Manual configuration is required.

Pre-Requisites:

  • Access to the etcd pod specification file.

  • Sufficient privileges (root or administrator access) to modify file ownership.

  • A Kubernetes environment configured with secure file management practices.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the Amazon Elastic Kubernetes Service (EKS) console.

  3. Navigate to the "Workloads" section and locate the etcd pod.

  4. Check the ownership of the etcd pod specification file to ensure it is set to root:root.

  5. Verify that only authorized users (root) have ownership of the file.

Using AWS CLI:

Use the following command to check the file ownership for the etcd pod specification file:

kubectl exec -it <etcd-pod-name> -- ls -l /etc/kubernetes/manifests/

Ensure that the file ownership is set to root:root. If not, run the following command to correct it:

sudo chown root:root /etc/kubernetes/manifests/<etcd-pod-file>

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the EKS service and navigate to the "Workloads" section.

  3. Locate the etcd pod and review the ownership of the pod specification file.

  4. If the ownership is not set to root:root, modify the file ownership by accessing the pod and updating the ownership to root:root.

Using AWS CLI:

Identify the pod name:

kubectl get pods --namespace=kube-system

Access the pod and check the file ownership:

kubectl exec -it <etcd-pod-name> -- ls -l /etc/kubernetes/manifests/

If needed, change the file ownership:

sudo chown root:root /etc/kubernetes/manifests/<etcd-pod-file>

Backout Plan:

Using AWS Console:

  1. Sign in to the AWS Console.

  2. Navigate to the Kubernetes environment.

  3. Locate the etcd pod and review the pod specification file.

  4. Modify the file ownership to ensure that the ownership matches the required security settings.

  5. Confirm that the ownership changes are applied as expected.

Using AWS CLI:

To revert the file ownership to a less secure setting, run the following command:

sudo chown <user>:<group> /etc/kubernetes/manifests/<etcd-pod-file>

References: