Profile Applicability:
Level 1
Description:
Ensure that the ownership of the controller-manager.conf file is set to root:root. This file contains sensitive configuration information for the Kubernetes controller manager, and setting the correct ownership ensures that only the root user (or the administrator) has control over this file, preventing unauthorized access or modifications.
Rationale:
Setting the ownership of the controller-manager.conf file to root:root ensures that only the root user has control over the file, reducing the risk of unauthorized access or tampering. Proper file ownership is a fundamental aspect of system security, helping prevent accidental or malicious changes to important system configurations.
Impact:
Pros:
Enhances security by ensuring that only the root user has ownership and control over the file.
Prevents unauthorized users or processes from modifying sensitive configuration data.
Cons:
If the ownership is incorrectly set, it could cause operational issues, such as preventing the controller manager from accessing or modifying its own configuration file.
Default Value:
By default, the controller-manager.conf file may not have the correct ownership set. It is essential to verify and configure the correct file ownership (root:root) to prevent unauthorized access.
Pre-Requisites:
Access to the controller-manager.conf file and the node where it resides.
Sufficient privileges (root or administrator access) to modify the file ownership.
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to the EC2 instances running the Kubernetes controller manager.
SSH into the node where the controller-manager.conf file is located.
Check the ownership of the controller-manager.conf file:
ls -l /etc/kubernetes/controller-manager.conf
Ensure the file ownership is set to root:root. If it is not, update the ownership as needed.
Using AWS CLI:
SSH into the node where the controller-manager.conf file is located.
Check the ownership of the controller-manager.conf file:
ls -l /etc/kubernetes/controller-manager.conf
If the ownership is not set to root:root, update it as needed.
Implementation Plan:
Using AWS Console:
Sign in to the AWS Management Console and locate the EC2 instance running the Kubernetes controller manager.
SSH into the node running the controller manager.
Check the current ownership of the controller-manager.conf file:
ls -l /etc/kubernetes/controller-manager.conf
If the ownership is not set to root:root, change the ownership:
sudo chown root:root /etc/kubernetes/controller-manager.conf
Verify that the ownership has been updated:
ls -l /etc/kubernetes/controller-manager.conf
Using AWS CLI:
SSH into the node where the Kubernetes controller manager is running
Check the ownership of the controller-manager.conf file:
ls -l /etc/kubernetes/controller-manager.conf
If the ownership is not set to root:root, use the following command to change the ownership:
sudo chown root:root /etc/kubernetes/controller-manager.conf
Verify that the ownership has been updated:
ls -l /etc/kubernetes/controller-manager.conf
Backout Plan:
Using AWS Console:
Sign in to the AWS Management Console and locate the EC2 instance running the Kubernetes controller manager.
SSH into the node running the controller manager.
If necessary, revert the ownership to a less restrictive setting, such as a non-root user, by running:
sudo chown <user>:<group> /etc/kubernetes/controller-manager.conf
Verify the updated ownership:
ls -l /etc/kubernetes/controller-manager.conf
Using AWS CLI:
SSH into the node where the Kubernetes controller manager is running.
Revert the ownership to a previous setting (if needed):
sudo chown <user>:<group> /etc/kubernetes/controller-manager.conf
Verify the ownership change:
ls -l /etc/kubernetes/controller-manager.conf
References:
Kubernetes Controller Manager Configuration