iCompaas Support

Profile Applicability:

• Level 1
  

Description:

Ensure that the file permissions for the scheduler.conf file are set to 600 or more restrictive. This ensures that only the root user or authorized service accounts can access the file, preventing unauthorized access or modifications to this sensitive configuration.

Rationale:

Setting the file permissions to 600 ensures that only the root user or the designated service account has access to the scheduler.conf file. This prevents unauthorized users from viewing or modifying the configuration, which could lead to potential security vulnerabilities or operational disruptions in the Kubernetes scheduler.

Impact:

• Enhances security by restricting access to sensitive scheduler configuration files.
  

• Helps ensure that only authorized users or processes can alter the scheduler configuration, preserving the integrity of the Kubernetes scheduler.

• If file permissions are improperly configured, it may cause operational issues, especially if necessary access is restricted during system updates or troubleshooting.
  

Default Value:

By default, the scheduler.conf file may not have restrictive file permissions. Manual configuration is required to set the permissions to 600 or more restrictive.

Pre-Requisites:

• Access to the scheduler.conf file.
  

• Sufficient privileges (root or administrator access) to modify file permissions.
  

• A Kubernetes environment configured to manage file permissions securely.
  

Remediation:

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Open the Amazon Elastic Kubernetes Service (EKS) console.
   

3. Navigate to the "Workloads" section and locate the pod or node running the Kubernetes scheduler.
   

4. Check the file permissions for the scheduler.conf file to ensure it is set to 600 or more restrictive.
   

5. Verify that only authorized users have access to the file.
   

Using AWS CLI:

Use the following command to check the file permissions for the scheduler.conf file:

kubectl exec -it <node-name> -- ls -l /etc/kubernetes/scheduler.conf

Ensure that the file permissions are set to 600 or more restrictive. If not, run the following command to set the permissions:

sudo chmod 600 /etc/kubernetes/scheduler.conf

Implementation Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Open the EKS service and navigate to the "Workloads" section.
   

3. Locate the pod or node running the Kubernetes scheduler.
   

4. Review the file permissions for the scheduler.conf file.
   

5. If the permissions are not set to 600 or more restrictive, modify the file permissions by accessing the node and updating the permissions.
   

Using AWS CLI:

Identify the node where the scheduler.conf file is located:

kubectl get nodes

Access the node and check the file permissions for the scheduler.conf file:

kubectl exec -it <node-name> -- ls -l /etc/kubernetes/scheduler.conf

If needed, change the file permissions:

sudo chmod 600 /etc/kubernetes/scheduler.conf

Backout Plan:

Using AWS Console:

1. Sign in to the AWS Console.
   

2. Navigate to the instance or node where the scheduler.conf file is stored.
   

3. Review the file permissions for the scheduler.conf file.
   

4. Modify the file permissions to ensure they are correctly set.
   

5. Confirm that the permissions changes are applied successfully.
   

Using AWS CLI:

To revert the file permissions to a less restrictive setting, run the following command:

sudo chmod 644 /etc/kubernetes/scheduler.conf

References:

• Kubernetes Scheduler Configuration Best Practices
  

• AWS EKS Documentation