iCompaas Support

Profile Applicability:

• Level 1
  

Description:

Ensure that the --service-account-private-key-file argument in the Kubernetes API server configuration is set to the correct private key file. This argument specifies the location of the private key used by the API server to sign service account tokens. Service account tokens are used for API authentication and authorization, so using a valid private key is crucial for maintaining security.

Rationale:

Setting the --service-account-private-key-file argument ensures that the Kubernetes API server uses the appropriate private key to sign service account tokens. A properly configured key provides a trusted mechanism for API authentication, ensuring that tokens are valid and not tampered with. This enhances the security and integrity of the authentication system within the cluster.

Impact:

Pros:

• Provides secure authentication for service accounts by signing tokens with a valid private key.
  

• Prevents unauthorized access by ensuring tokens are properly signed and trusted.
  

• Enhances the overall security of Kubernetes cluster authentication.
  

Cons:

• If the argument is misconfigured or the private key is incorrect, service account authentication will fail, potentially disrupting access to the Kubernetes API for service accounts.
  

Default Value:

By default, the --service-account-private-key-file argument may not be set, and the API server will use an internal key or generate a new one if this argument is not configured. It is recommended to set this argument to use a secure, custom private key file.

Pre-Requisites:

• Access to the Kubernetes API server configuration.
  

• A valid private key file for signing service account tokens.
  

• Sufficient privileges (root or administrator access) to modify the API server flags.
  

• A Kubernetes environment configured to manage and securely store the private key.
  

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Open the Amazon Elastic Kubernetes Service (EKS) console.
   

3. Navigate to the "Clusters" section and locate your cluster.
   

4. Review the settings for the --service-account-private-key-file argument in the API server configuration.
   

5. Ensure that the --service-account-private-key-file argument is set to the correct private key file path.
   

Using AWS CLI:

Retrieve the configuration for the Kubernetes API server:

kubectl get deployment -n kube-system kube-apiserver -o yaml

Check for the presence of the --service-account-private-key-file argument in the API server arguments section:

- --service-account-private-key-file=/etc/kubernetes/pki/service-account.key

2. Ensure that the --service-account-private-key-file argument is set to the correct path for the private key file. If it is not, update the configuration to point to the correct file.
   

Implementation Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Open the EKS service and navigate to your cluster.
   

3. Review the cluster's configuration for the --service-account-private-key-file argument.
   

4. If the argument is missing or set incorrectly, update the API server configuration to point to the correct private key file:

    --service-account-private-key-file=/etc/kubernetes/pki/service-account.key

   Save and apply the changes to the Kubernetes API server configuration.
   

Using AWS CLI:

Modify the API server deployment by adding or updating the --service-account-private-key-file argument:

kubectl edit deployment -n kube-system kube-apiserver

1. In the deployment YAML, locate the command section under the spec for the kube-apiserver container.
   

Add or update the following line to point to the correct private key file:

- --service-account-private-key-file=/etc/kubernetes/pki/service-account.key

3. Save and exit the editor to apply the changes.
   

Backout Plan:

Using AWS Console:

1. Sign in to the AWS Console.
   

2. Open the EKS service and navigate to your cluster.
   

3. Locate the API server configuration.
   

4. If necessary, revert the change by setting the --service-account-private-key-file argument to the previous value or removing it entirely.
   

5. Save and apply the changes to the Kubernetes API server configuration.
   

Using AWS CLI:

To revert the change, edit the API server deployment to set the --service-account-private-key-file argument back to its previous value:

kubectl edit deployment -n kube-system kube-apiserver

1. Update the deployment YAML to include the previous value for the --service-account-private-key-file argument.
   

2. Save and exit the editor to apply the changes.
   

References:

• Kubernetes API Server Configuration
  AWS EKS Documentation