Profile Applicability:

  • Level 1

Description:

Ensure that the ownership of the Container Network Interface (CNI) configuration file is set to root:root. This ensures that the root user and root group have ownership of the file, restricting access and preventing unauthorized users from modifying the CNI configuration.

Rationale:

Setting the ownership of the CNI configuration file to root:root ensures that only the root user and the root group have control over the file. This reduces the risk of unauthorized changes to the network configuration, which could compromise the security and stability of the Kubernetes cluster.

Impact:

  • Pros:

    • Increases security by ensuring that only trusted users (root) can access and modify the CNI configuration.

    • Protects the integrity of network configuration and avoids malicious alterations.

  • Cons:

    • If ownership is misconfigured, it could cause operational issues, especially during system updates or troubleshooting, if necessary access is restricted.

Default Value:

The CNI configuration file is not configured by default to have ownership set to root:root. It requires manual configuration.

Pre-Requisites:

  • Access to the CNI configuration file.

  • Sufficient privileges (root or administrator access) to modify file ownership.

  • A Kubernetes environment with secure management of network configurations.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the Amazon Elastic Kubernetes Service (EKS) console.

  3. Navigate to the "Workloads" section and locate the pod or node running the CNI plugin.

  4. Check the ownership of the CNI configuration file to ensure it is set to root:root.

  5. Verify that only authorized users (root) have ownership of the file.

Using AWS CLI:

Use the following command to check the file ownership for the CNI configuration file:

kubectl exec -it <node-name> -- ls -l /etc/cni/net.d/

Ensure that the file ownership is set to root:root. If not, run the following command to correct it:

sudo chown root:root /etc/cni/net.d/<cni-config-file>

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the EKS service and navigate to the "Workloads" section.

  3. Locate the pod or node where the CNI plugin is running.

  4. Review the ownership of the CNI configuration file.

  5. If the ownership is not set to root:root, modify the file ownership by accessing the node and updating the ownership to root:root.

Using AWS CLI:

Identify the node where the CNI configuration is located:

kubectl get nodes

Access the node and check the file ownership for the CNI configuration file:

kubectl exec -it <node-name> -- ls -l /etc/cni/net.d/

If needed, change the file ownership:

sudo chown root:root /etc/cni/net.d/<cni-config-file>

Backout Plan:

Using AWS Console:

  1. Sign in to the AWS Console.

  2. Navigate to the Kubernetes environment and locate the node or pod where the CNI configuration is stored.

  3. Review the CNI configuration file's ownership.

  4. If necessary, modify the file ownership to ensure proper access control.

  5. Confirm that the ownership changes are applied successfully.

Using AWS CLI:

To revert the file ownership to a less secure setting, run the following command:

sudo chown <user>:<group> /etc/cni/net.d/<cni-config-file>

References: