Profile Applicability:

  • Level 1

Description:

The --kubeconfig argument specifies the path to the kubelet's kubeconfig file, which contains sensitive authentication credentials for the Kubernetes API server. For security reasons, it is crucial that the ownership of this file is set to root:root, ensuring that only the root user has the ability to modify or access the file. This prevents unauthorized users from tampering with or reading sensitive credentials.

Rationale:

Ensuring the ownership of the kubelet's kubeconfig file is set to root:root prevents unauthorized users from accessing or modifying the file, thus protecting sensitive credentials used to authenticate the kubelet with the API server. This is a basic security measure to prevent privilege escalation and unauthorized access to Kubernetes resources.

Impact:

Pros:

  • Ensures that only privileged users (typically the root user) can access or modify the kubelet's kubeconfig file.

  • Helps secure the sensitive authentication information in the kubelet configuration.

Cons:

  • If misconfigured, legitimate users with the appropriate privileges may be unable to modify the kubelet's kubeconfig file.

Default Value:

The default ownership for the kubelet's kubeconfig file is typically root:root on most systems, but this should always be verified to ensure security.

Pre-requisites:

  • The kubelet's kubeconfig file must exist and be located at the specified path (typically /etc/kubernetes/kubelet.conf or another custom location).

  • The file should be accessible only by the root user or the kubelet service user.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to your EKS Cluster or Kubernetes node.

  3. Check if the kubelet's kubeconfig file exists (commonly located at /etc/kubernetes/kubelet.conf).

Verify the ownership of the kubelet's kubeconfig file using the following command:

ls -l /etc/kubernetes/kubelet.conf

  1. Ensure that the ownership is set to root:root.

Using AWS CLI:

  1. SSH into the Kubernetes node.

Run the following command to check the ownership of the kubelet's kubeconfig file:

ls -l /etc/kubernetes/kubelet.conf

  1. Verify that the ownership is root:root

Implementation Plan

Using AWS Console:

  1. Access the EKS node or Kubernetes worker node.

  2. Navigate to the directory containing the kubelet's kubeconfig file (typically /etc/kubernetes/).

Change the ownership of the kubelet's kubeconfig file to root:root:

sudo chown root:root /etc/kubernetes/kubelet.conf

Using AWS CLI:

  1. SSH into the Kubernetes node where the kubelet's kubeconfig file is located.

Set the ownership of the kubelet's kubeconfig file to root:root:

sudo chown root:root /etc/kubernetes/kubelet.conf

Backout Plan

Using AWS Console:

  1. Navigate to the node and revert the ownership to a more permissive setting if necessary (e.g., user-specific ownership).

  2. Verify that the change has been applied and that the kubelet's kubeconfig file is accessible.

Using AWS CLI:

If necessary, revert the ownership using:

sudo chown <user>:<group> /etc/kubernetes/kubelet.conf

References:

  • Kubernetes Kubelet Documentation

  • Linux chown Command