Profile Applicability:
Level 1
Description:
Ensure that the Kubernetes PKI (Public Key Infrastructure) certificate files, such as the API server certificate, etcd certificate, and other critical certificates used within the cluster, have their permissions set to 600 or more restrictive. This ensures that only authorized users (typically the root user) have access to these files, preventing unauthorized access to sensitive certificate data.
Rationale:
Kubernetes PKI certificate files contain sensitive information, such as public/private key pairs used for securing communications within the Kubernetes cluster. Setting the permissions to 600 or more restrictive ensures that only the root user can access and modify these files, preventing unauthorized access and protecting the integrity and confidentiality of the certificates.
Impact:
Pros:
Enhances security by preventing unauthorized access to sensitive Kubernetes certificate files.
Helps ensure that only authorized users (typically root) can modify or access certificates.
Cons:
Misconfiguration or overly restrictive permissions could cause operational issues, such as the inability to read certificates, leading to failures in Kubernetes components that rely on them for authentication and secure communication.
Default Value:
By default, Kubernetes PKI certificate file permissions may not be set to 600, and the files may be more permissive. These settings need to be manually configured to ensure proper security.
Pre-Requisites:
Access to the Kubernetes PKI certificate files (usually located in /etc/kubernetes/pki).
Sufficient privileges (root or administrator access) to modify file permissions.
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to the EC2 instances running the Kubernetes master node.
SSH into the node where the Kubernetes PKI certificate files are stored.
Check the permissions of the files in the Kubernetes PKI directory:
ls -l /etc/kubernetes/pki/
Ensure that the certificate files (e.g., apiserver.crt, apiserver.key, etcd.crt, etcd.key) have their permissions set to 600 or more restrictive.
Using AWS CLI:
SSH into the node where the Kubernetes PKI certificate files are located.
Check the permissions of the files in /etc/kubernetes/pki/:
ls -l /etc/kubernetes/pki/
If the permissions are not set to 600, update them as needed.
Implementation Plan:
Using AWS Console:
Sign in to the AWS Management Console and locate the EC2 instance running the Kubernetes master node.
SSH into the node where the Kubernetes PKI certificate files are stored.
Check the current permissions of the certificate files in /etc/kubernetes/pki/:
ls -l /etc/kubernetes/pki/
If the permissions are not set to 600, change them by running:
sudo chmod 600 /etc/kubernetes/pki/*.crt /etc/kubernetes/pki/*.key
Verify that the permissions have been correctly updated:
ls -l /etc/kubernetes/pki/
Using AWS CLI:
SSH into the node where the Kubernetes PKI certificate files are located.
Check the current permissions of the certificate files:
ls -l /etc/kubernetes/pki/
If the permissions are not set to 600, update them with the following command:
sudo chmod 600 /etc/kubernetes/pki/*.crt /etc/kubernetes/pki/*.key
Verify the updated permissions:
ls -l /etc/kubernetes/pki/
Backout Plan:
Using AWS Console:
Sign in to the AWS Management Console and locate the EC2 instance running the Kubernetes master node.
SSH into the node running the Kubernetes components.
If necessary, revert the permissions to a less restrictive setting, such as 644:
sudo chmod 644 /etc/kubernetes/pki/*.crt /etc/kubernetes/pki/*.key
Verify the updated permissions:
ls -l /etc/kubernetes/pki/
Using AWS CLI:
SSH into the node where the Kubernetes PKI certificate files are located.
To revert the permissions, run:
sudo chmod 644 /etc/kubernetes/pki/*.crt /etc/kubernetes/pki/*.key
Verify that the permissions have been reverted:
ls -l /etc/kubernetes/pki/
References:
Kubernetes Security Best Practices