Profile Applicability:
Level 1
Description:
Ensure that the Kubernetes PKI key files (such as apiserver.key, etcd.key, and other private key files) have their permissions set to 600. This ensures that only authorized users (typically root) can read and modify the files, which is essential for protecting sensitive private key material used for secure communication within the Kubernetes cluster.
Rationale:
Kubernetes PKI key files contain sensitive private keys used to authenticate and secure communications between various components of the Kubernetes cluster, including the API server, etcd, and kubelets. Setting the permissions to 600 ensures that only the root user has access to these keys, which helps prevent unauthorized access and potential security breaches.
Impact:
Pros:
Enhances security by preventing unauthorized access to the private keys used in the cluster.
Helps ensure that the Kubernetes cluster remains secure by restricting access to the key files to only trusted administrators.
Cons:
Misconfiguration or overly restrictive permissions could cause operational issues, such as components failing to access their required key files, resulting in communication failures within the cluster.
Default Value:
By default, the Kubernetes PKI key file permissions may not be set to 600. These settings need to be manually configured to ensure proper security.
Pre-Requisites:
Access to the Kubernetes PKI key files (usually located in /etc/kubernetes/pki).
Sufficient privileges (root or administrator access) to modify file permissions.
Test plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to the EC2 instances running the Kubernetes master node.
SSH into the node where the Kubernetes PKI key files are located.
Check the permissions of the files in the Kubernetes PKI directory:
ls -l /etc/kubernetes/pki/
Ensure that the key files (e.g., apiserver.key, etcd.key) have their permissions set to 600 or more restrictive. If the permissions are not correct, update them as needed.
Using AWS CLI:
SSH into the node where the Kubernetes PKI key files are located.
Check the permissions of the files in /etc/kubernetes/pki/:
ls -l /etc/kubernetes/pki/
If the permissions are not set to 600, update them with the following command:
sudo chmod 600 /etc/kubernetes/pki/*.key
Implementation Plan:
Using AWS Console:
Sign in to the AWS Management Console and locate the EC2 instance running the Kubernetes master node.
SSH into the node where the Kubernetes PKI key files are located.
Check the current permissions of the key files in /etc/kubernetes/pki/:
ls -l /etc/kubernetes/pki/
If the permissions are not set to 600, change them by running:
sudo chmod 600 /etc/kubernetes/pki/*.key
Verify that the permissions have been correctly updated:
ls -l /etc/kubernetes/pki/
Using AWS CLI:
SSH into the node where the Kubernetes PKI key files are located.
Check the current permissions of the key files:
ls -l /etc/kubernetes/pki/
If the permissions are not set to 600, use the following command to correct them:
sudo chmod 600 /etc/kubernetes/pki/*.key
Verify the updated permissions:
ls -l /etc/kubernetes/pki/
Backout Plan:
Using AWS Console:
Sign in to the AWS Management Console and locate the EC2 instance running the Kubernetes master node.
SSH into the node running the Kubernetes components.
If necessary, revert the permissions to a less restrictive setting, such as 644:
sudo chmod 644 /etc/kubernetes/pki/*.key
Verify the updated permissions:
ls -l /etc/kubernetes/pki/
Using AWS CLI:
SSH into the node where the Kubernetes PKI key files are located
To revert the permissions, run:
sudo chmod 644 /etc/kubernetes/pki/*.key
Verify that the permissions have been reverted:
ls -l /etc/kubernetes/pki/
References:
Kubernetes Security Best Practices