iCompaas Support

Profile Applicability:

• Level 1
  
  

Description:

Certificate authority (CA) files store the public key data used to verify certificates, ensuring that communications between Kubernetes components are secure. These files typically contain sensitive information and must be properly secured. Setting the permissions of the certificate authorities file to 600 or more restrictive ensures that only authorized users (typically the root user) have read and write access to the file, protecting it from unauthorized access or modification.

Rationale:

The CA file is crucial for the integrity and security of the Kubernetes cluster's communication. If unauthorized users are able to read or modify the CA file, they could potentially forge or manipulate certificates, compromising the security of the entire system. Setting the file permissions to 600 ensures that only the root user or the necessary service account can access and modify the file, reducing the risk of malicious tampering.

Impact:

• Pros:
  

  • Ensures that the certificate authorities file is protected from unauthorized access or modification.
    

  • Reduces the risk of a security breach where certificates could be tampered with.
    

• Cons:
  

  • If misconfigured, legitimate users or services may be unable to access or manage certificates if they need to.
    

Default Value:

By default, Kubernetes does not enforce specific file permissions on certificate authorities, leaving it to system administrators to configure and secure these files. In a secure environment, the file permissions should be set to 600 by default.

Pre-requisites:

• The certificate authorities file must exist and be accessible on the system.
  

• The file should be properly configured for use by Kubernetes and related services.
  

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Navigate to your EKS Cluster or Kubernetes node.
   

3. Check if the certificate authorities file exists (typically located at /etc/kubernetes/pki/ca.crt or another custom path).
   

Verify the file permissions using the following command:

ls -l /etc/kubernetes/pki/ca.crt

4. Ensure that the file permissions are set to 600 or more restrictive.
   

Using AWS CLI:

1. SSH into the Kubernetes node.
   

Run the following command to check the file permissions of the certificate authorities file:

ls -l /etc/kubernetes/pki/ca.crt

2. Verify that the file permissions are set to 600 or more restrictive.
   

Implementation Plan

Using AWS Console:

1. Access the Kubernetes node where the certificate authorities file is located.
   

Verify the file permissions with the following command:

ls -l /etc/kubernetes/pki/ca.crt

If the permissions are not set to 600, modify the permissions:

sudo chmod 600 /etc/kubernetes/pki/ca.crt

Using AWS CLI:

1. SSH into the Kubernetes node where the certificate authorities file is located.
   

Set the file permissions to 600:

sudo chmod 600 /etc/kubernetes/pki/ca.crt

Backout Plan

Using AWS Console:

1. Navigate to the node and revert the file permissions to a more permissive setting (e.g., 644).
   

2. Verify that the change has been applied and that the file is accessible.
   

Using AWS CLI:

If necessary, revert the file permissions using:

sudo chmod 644 /etc/kubernetes/pki/ca.crt

References:

• Kubernetes Security Documentation
  Linux chmod Command