Profile Applicability:

  • Level 1

Description:

Ensure that the --profiling argument is set to false in the Kubernetes API server configuration. This argument controls whether profiling is enabled for the Kubernetes API server, which can provide detailed performance metrics but may expose sensitive information if left enabled in production environments.

Rationale:

Setting the --profiling argument to false disables profiling for the Kubernetes API server. This helps prevent the exposure of detailed performance metrics, which can be used for debugging but may inadvertently expose sensitive system information that could be exploited in a production environment. It is considered a best practice to disable profiling in production for security reasons.

Impact:

Pros:

  • Increases security by preventing the exposure of sensitive internal metrics.

  • Reduces the attack surface of the API server by disabling the profiling endpoints that may be exploited.

Cons:

  • Disabling profiling means that detailed performance metrics for debugging and troubleshooting will not be accessible. However, this should be mitigated by using other secure monitoring and observability tools.

Default Value:

By default, the --profiling argument is set to false, but this can be modified in the configuration to enable profiling. This setting must be explicitly set to false in production environments for enhanced security.

Pre-Requisites:

  • Access to the Kubernetes API server configuration.

  • Sufficient privileges (root or administrator access) to modify the API server flags.

  • A Kubernetes environment where profiling should be disabled for security reasons.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the Amazon Elastic Kubernetes Service (EKS) console.

  3. Navigate to the "Clusters" section and locate your cluster.

  4. Review the settings for the --profiling argument in the API server configuration.

  5. Ensure that the --profiling argument is set to false.

Using AWS CLI:

Retrieve the configuration for the Kubernetes API server:

kubectl get deployment -n kube-system kube-apiserver -o yaml

Check for the presence of the --profiling argument in the API server arguments section:

- --profiling=false

  1. Ensure that the --profiling argument is set to false. If it is not, update the configuration to disable profiling.

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the EKS service and navigate to your cluster.

  3. Review the cluster's configuration for the --profiling argument.

  4. If the argument is set to true, update the API server configuration to set --profiling=false.

  5. Save and apply the changes to the Kubernetes API server configuration.

Using AWS CLI:

Modify the API server deployment by adding or updating the --profiling=false argument:

kubectl edit deployment -n kube-system kube-apiserver

  1. In the deployment YAML, locate the command section under the spec for the kube-apiserver container.

Add or update the following line to set the argument:

- --profiling=false

  1. Save and exit the editor to apply the changes.

Backout Plan:

Using AWS Console:

  1. Sign in to the AWS Console.

  2. Open the EKS service and navigate to your cluster.

  3. Locate the API server configuration.

  4. If necessary, revert the change by setting the --profiling argument to true or restoring the previous setting.

  5. Save and apply the changes to the Kubernetes API server configuration.

Using AWS CLI:

To revert the change, edit the API server deployment to set the --profiling argument to true:

kubectl edit deployment -n kube-system kube-apiserver

Update the deployment YAML to include --profiling=true if needed:

- --profiling=true

  1. Save and exit the editor to apply the changes.

References: