Profile Applicability:
Level 1
Description:
Ensure that the Kubernetes PKI (Public Key Infrastructure) directory and the files within it are owned by root:root. The PKI directory contains sensitive certificates and keys used for securing communication within the Kubernetes cluster. Setting the ownership to root:root ensures that only authorized users (typically root) have access to these files, preventing unauthorized modifications or access.
Rationale:
Setting the ownership of the Kubernetes PKI directory and its files to root:root is crucial for security. These certificates and keys are used to authenticate components of the Kubernetes cluster, such as the API server, etcd, and kubelets. Misconfigured ownership can lead to unauthorized access, which could compromise the entire cluster's security. Ensuring correct ownership helps maintain the confidentiality, integrity, and availability of these critical resources.
Impact:
Pros:
Ensures that only authorized users (root) have access to the Kubernetes PKI directory and its files.
Reduces the risk of unauthorized modification or access to sensitive certificates and keys.
Improves security by preventing potential attacks that exploit misconfigured file permissions.
Cons:
If ownership is not correctly set, it could result in operational issues, such as failure to read certificates or keys, leading to security communication failures.
Requires secure management of the file ownership settings to avoid misconfigurations.
Default Value:
By default, the ownership of files in the Kubernetes PKI directory may not be set to root:root. Manual configuration is required to ensure proper file ownership.
Pre-Requisites:
Access to the Kubernetes PKI directory (usually located at /etc/kubernetes/pki).
Sufficient privileges (root or administrator access) to modify file ownership.
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to the EC2 instances running the Kubernetes master node.
SSH into the node where the Kubernetes PKI directory is located.
Check the ownership of the PKI directory and files:
ls -l /etc/kubernetes/pki/
Ensure that the ownership of all files within the PKI directory is set to root:root. If the ownership is not correct, update it.
Using AWS CLI:
SSH into the node where the Kubernetes PKI directory is located.
Check the ownership of the directory and its files:
ls -l /etc/kubernetes/pki/
If the ownership is not set to root:root, use the following command to correct it.
Implementation Plan:
Using AWS Console:
Sign in to the AWS Management Console and locate the EC2 instance running the Kubernetes master node.
SSH into the node where the Kubernetes PKI directory is located.
Check the current ownership of the files in the /etc/kubernetes/pki/ directory:
ls -l /etc/kubernetes/pki/
If the ownership is not set to root:root, change the ownership of the PKI directory and its files:
sudo chown -R root:root /etc/kubernetes/pki/
Verify the updated ownership:
ls -l /etc/kubernetes/pki/
Using AWS CLI:
SSH into the node where the Kubernetes PKI directory is located.
Check the current ownership of the files in /etc/kubernetes/pki/:
ls -l /etc/kubernetes/pki/
If the ownership is incorrect, update it:
sudo chown -R root:root /etc/kubernetes/pki/
Verify that the ownership has been updated:
ls -l /etc/kubernetes/pki/
Backout Plan:
Using AWS Console:
Sign in to the AWS Console and locate the EC2 instance running the Kubernetes master node.
SSH into the node where the Kubernetes PKI directory is located.
If necessary, revert the ownership back to the previous value (if a specific user or group was originally set).
sudo chown -R <user>:<group> /etc/kubernetes/pki/
Verify the updated ownership:
ls -l /etc/kubernetes/pki/
Using AWS CLI:
SSH into the node where the Kubernetes PKI directory is located.
To revert the ownership, run:
sudo chown -R <user>:<group> /etc/kubernetes/pki/
Verify that the ownership has been reverted:
ls -l /etc/kubernetes/pki/
References:
Kubernetes Security Best Practices
AWS EKS Documentation