Profile Applicability:

  • Level 1

Description:

The client certificate authorities (CA) file contains critical information used to authenticate client certificates in a Kubernetes cluster. This file should be owned by the root user and group to ensure that only privileged users can modify or access the file. By setting the file ownership to root:root, you ensure the security of the file, protecting it from unauthorized access or tampering.

Rationale:

The client certificate authorities file is used for verifying the identity of clients connecting to the Kubernetes API server. If the ownership is not set to root:root, unauthorized users might gain access to or modify the file, potentially compromising the integrity of the authentication system. Ensuring proper ownership helps protect the security of sensitive credentials.

Impact:

Pros:

  • Enhances the security of the cluster by ensuring that only the root user can modify or read the file.

  • Reduces the risk of unauthorized access or tampering with the file.

Cons:

  • If misconfigured, legitimate users with necessary administrative access might not be able to manage the certificate authorities file.

Default Value:

The default ownership for critical files like the client certificate authorities file is typically set to root:root in secure systems, but this should always be verified to ensure that security is maintained.

Pre-requisites:

  • The client certificate authorities file must exist and be located in the appropriate directory (typically /etc/kubernetes/pki/ca.crt or another custom path).

  • The file must be accessible only by the root user and any service accounts or applications that require access to it.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to your Kubernetes worker node or EKS cluster.

  3. Ensure that the client certificate authorities file exists (typically located at /etc/kubernetes/pki/ca.crt).

Verify the ownership of the file using the following command:

ls -l /etc/kubernetes/pki/ca.crt

  1. Ensure that the ownership is set to root:root.

Using AWS CLI:

  1. SSH into the Kubernetes node.

Run the following command to check the ownership of the client certificate authorities file:

ls -l /etc/kubernetes/pki/ca.crt

  1. Verify that the ownership is set to root:root.

Implementation Plan

Using AWS Console:

  1. Access the Kubernetes node where the client certificate authorities file is located.

Verify the file's ownership with the following command:

ls -l /etc/kubernetes/pki/ca.crt

If the ownership is not set to root:root, update it:

sudo chown root:root /etc/kubernetes/pki/ca.crt

Using AWS CLI:

  1. SSH into the Kubernetes node where the client certificate authorities file is located.

Set the ownership of the client certificate authorities file to root:root:

sudo chown root:root /etc/kubernetes/pki/ca.crt

Backout Plan

Using AWS Console:

  1. Navigate to the Kubernetes node.

  2. If necessary, revert the ownership to a more permissive setting (e.g., user-specific ownership).

  3. Verify that the change has been applied and that the file is accessible.

Using AWS CLI:

If issues occur, revert the ownership using:

sudo chown <user>:<group> /etc/kubernetes/pki/ca.crt

References:

  • Kubernetes Security Documentation

  • Linux chown Command