Profile Applicability:

  • Level 1

Description:

Ensure that the file permissions for the Container Network Interface (CNI) configuration files are set to 600 or more restrictive. This ensures that only the root user or authorized service accounts can access the CNI configuration file, preventing unauthorized access or modifications to the file, which could impact network configuration and security.

Rationale:

Setting the file permissions to 600 or more restrictive ensures that only the root user or the designated service account has access to the CNI configuration file. This helps prevent unauthorized modifications that could potentially compromise the network configuration of the Kubernetes cluster.

Impact:

Pros:

  • Improves security by preventing unauthorized access to sensitive network configuration files.

  • Helps ensure the integrity of the CNI configuration and reduces the risk of unauthorized changes.

Cons:

  • Misconfigured file permissions could lead to operational difficulties, especially during troubleshooting or updates if proper access is not granted to necessary processes.

Default Value:

By default, CNI configuration files may not have restrictive file permissions. It requires manual configuration to ensure the file permissions are set to 600 or more restrictive.

Pre-Requisites:

  • Access to the CNI configuration files.

  • Sufficient privileges (root or administrator access) to modify file permissions.

  • A Kubernetes environment configured to ensure secure management of network-related configurations.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the Amazon Elastic Kubernetes Service (EKS) console.

  3. Navigate to the "Workloads" section and locate the pod or node running the CNI plugin.

  4. Check the file permissions for the CNI configuration file to ensure it is set to 600 or more restrictive.

  5. Verify that only authorized users have access to the file.

Using AWS CLI:

Use the following command to check the file permissions for the CNI configuration file:

kubectl exec -it <node-name> -- ls -l /etc/cni/net.d/

Ensure that the file permissions are set to 600 or more restrictive. If not, run the following command to set the permissions:

sudo chmod 600 /etc/cni/net.d/<cni-config-file>

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the EKS service and navigate to the "Workloads" section.

  3. Locate the pod or node where the CNI plugin is running.

  4. Review the file permissions for the CNI configuration file.

  5. If the permissions are not set to 600 or more restrictive, modify the file permissions by accessing the node and updating the permissions.

Using AWS CLI:

Identify the node where the CNI configuration is located:

kubectl get nodes

Access the node and check the file permissions for the CNI configuration file:

kubectl exec -it <node-name> -- ls -l /etc/cni/net.d/

If needed, change the file permissions:

sudo chmod 600 /etc/cni/net.d/<cni-config-file>

Backout Plan:

Using AWS Console:

  1. Sign in to the AWS Console.

  2. Navigate to the Kubernetes environment and locate the node or pod where the CNI configuration is stored.

  3. Review the CNI configuration file's permissions.

  4. If necessary, modify the file permissions to ensure proper access.

  5. Confirm that the permissions changes are applied successfully.

Using AWS CLI:

To revert the file permissions to a less restrictive setting, run the following command:

sudo chmod 644 /etc/cni/net.d/<cni-config-file>

References: