Profile Applicability:

  • Level 1

Description:

Ensure that the --service-account-key-file argument is correctly configured in the Kubernetes API server. This argument specifies the path to the private key used to sign service account tokens. Service account tokens are used for authenticating and authorizing API requests in the Kubernetes cluster, so it is crucial to use a secure and properly configured key file.

Rationale:

Setting the --service-account-key-file argument ensures that the Kubernetes API server uses a valid private key to sign service account tokens. This is a key component of Kubernetes' authentication system, ensuring that tokens issued for service accounts are signed by a trusted key. It helps prevent unauthorized access and ensures that only trusted services can authenticate with the API server.

Impact:

Pros:

  • Ensures secure service account authentication by signing tokens with a trusted private key.

  • Prevents unauthorized access to the Kubernetes API server by verifying that service account tokens are signed with a valid key.

Cons:

  • Misconfiguration could cause the API server to fail to sign tokens correctly, leading to authentication issues for service accounts.

  • Requires proper management and secure storage of the private key file to avoid security risks.

Default Value:

By default, the --service-account-key-file argument may not be set, and the API server might not use a custom signing key for service accounts. Manual configuration is required to specify the correct private key file for signing service account tokens.

Pre-Requisites:

  • Access to the Kubernetes API server configuration.

  • A valid private key file for signing service account tokens.

  • Sufficient privileges (root or administrator access) to modify the API server flags.

  • A Kubernetes environment where service account authentication is enabled.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the Amazon Elastic Kubernetes Service (EKS) console.

  3. Navigate to the "Clusters" section and locate your cluster.

  4. Review the settings for the --service-account-key-file argument in the API server configuration.

  5. Ensure that the --service-account-key-file argument is set to the correct private key file path.

Using AWS CLI:

Retrieve the configuration for the Kubernetes API server:

kubectl get deployment -n kube-system kube-apiserver -o yaml

Check for the presence of the --service-account-key-file argument in the API server arguments section:

- --service-account-key-file=/etc/kubernetes/pki/service-account.key
  1. Ensure that the --service-account-key-file argument is set to the appropriate private key file. If it is not, update the configuration to point to the correct private key file.

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the EKS service and navigate to your cluster.

  3. Review the cluster's configuration for the --service-account-key-file argument.

  4. If the argument is missing or set incorrectly, update the API server configuration to set the correct private key file path:
     
    --service-account-key-file=/etc/kubernetes/pki/service-account.key

  5. Save and apply the changes to the Kubernetes API server configuration.

Using AWS CLI:

Modify the API server deployment by adding or updating the --service-account-key-file argument:

kubectl edit deployment -n kube-system kube-apiserver
  1. In the deployment YAML, locate the command section under the spec for the kube-apiserver container.

Add or update the following line to specify the correct private key file:

- --service-account-key-file=/etc/kubernetes/pki/service-account.key

  1. Save and exit the editor to apply the changes.

Backout Plan:

Using AWS Console:

  1. Sign in to the AWS Console.

  2. Open the EKS service and navigate to your cluster.

  3. Locate the API server configuration.

  4. If necessary, revert the change by setting the --service-account-key-file argument to the previous value or restoring the default configuration.

  5. Save and apply the changes to the Kubernetes API server configuration.

Using AWS CLI:

To revert the change, edit the API server deployment to set the --service-account-key-file argument back to its previous value:
kubectl edit deployment -n kube-system kube-apiserver

  1. Update the deployment YAML to include the previous value for the --service-account-key-file argument.

  2. Save and exit the editor to apply the changes.

References: