iCompaas Support

Profile Applicability:

• Level 1
  
  

Description:

The kubelet config.yaml configuration file contains critical settings for the kubelet, which is responsible for managing containers on each node in the Kubernetes cluster. This file may include sensitive information such as cluster configuration, authentication credentials, and other settings. Ensuring that the file permissions are set to 600 or more restrictive prevents unauthorized users from accessing or modifying the kubelet's configuration, thus maintaining the security of the node.

Rationale:

The kubelet config.yaml file may contain sensitive data used to configure the kubelet’s behavior, such as authentication tokens or paths to certificates. If the file permissions are too permissive, unauthorized users could potentially access or modify these settings, leading to security risks such as privilege escalation, unauthorized access to the Kubernetes API, or even denial of service. Setting the permissions to 600 ensures that only the owner (typically the root user) has access to the file.

Impact:

Pros:

• Protects the kubelet's configuration from unauthorized access or tampering.
  

• Helps meet security best practices and ensures compliance with internal security policies.
  

Cons:

• If misconfigured, it could prevent legitimate users or system services from accessing the configuration file, leading to operational issues.
  

Default Value:

By default, the kubelet config.yaml file might have permissions set to 644, which is not secure enough from a security perspective. Thus, this check ensures that the file permissions are properly set.

Pre-requisites:

• The kubelet config.yaml file should exist on the system and be located in the appropriate directory (typically /etc/kubernetes/kubelet.conf or another custom path).
  

• The file should be accessible only to the root user or the kubelet service user.
  

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Navigate to your Kubernetes worker node or EKS cluster.
   

3. Check if the kubelet config.yaml file exists (typically located at /etc/kubernetes/kubelet.conf or another directory).
   

Verify the file permissions using the following command:

ls -l /etc/kubernetes/kubelet.conf

4. Ensure that the file permissions are set to 600 or more restrictive (e.g., 400).
   

Using AWS CLI:

1. SSH into the Kubernetes node.
   

Run the following command to check the file permissions of the kubelet config.yaml file:

ls -l /etc/kubernetes/kubelet.conf

2. Ensure that the file permissions are set to 600 or more restrictive.
   

Implementation Plan

Using AWS Console:

1. Access the Kubernetes node where the kubelet config.yaml file is located.
   

Verify the file's permissions with the following command:

ls -l /etc/kubernetes/kubelet.conf

If the permissions are not set to 600, modify the permissions:

sudo chmod 600 /etc/kubernetes/kubelet.conf

Using AWS CLI:

1. SSH into the Kubernetes node where the kubelet config.yaml file is located.
   

Set the file permissions to 600:

sudo chmod 600 /etc/kubernetes/kubelet.conf

Backout Plan

Using AWS Console:

1. Navigate to the node and revert the file permissions to a more permissive setting (e.g., 644).
   

2. Verify that the change has been applied and that the file is accessible
   

Using AWS CLI:

If necessary, revert the file permissions using:
sudo chmod 644 /etc/kubernetes/kubelet.conf

References:

• Kubernetes Kubelet Documentation
  

• Linux chmod Command