Profile Applicability:

  • Level 1

Description:

The --kubeconfig argument specifies the path to the kubelet's kubeconfig file, which contains sensitive information, including the authentication credentials used to communicate with the Kubernetes API server. It is crucial that this file has strict permissions, specifically 600 or more restrictive, to ensure that only the root user (or the kubelet service user) can access the file, protecting the credentials from unauthorized access.

Rationale:

Setting the kubelet's kubeconfig file permissions to 600 ensures that no unauthorized user or process can read or modify the file. Since the file contains sensitive access credentials, it must be protected from unauthorized access to prevent potential attacks or misconfigurations.

Impact:

Pros:

  • Protects sensitive authentication information stored in the kubelet's kubeconfig file.

  • Reduces the risk of unauthorized access to the Kubernetes API.

Cons:

  • If misconfigured, legitimate users with the appropriate privileges may be unable to access the kubelet configuration file.

Default Value:

The default file permissions for the kubelet's kubeconfig file may vary, but they should be configured to 644 by default, which is not secure enough from a security perspective.

Pre-requisites:

  • The kubelet's kubeconfig file should exist and be located at the specified path (typically /etc/kubernetes/kubelet.conf or another custom location).

  • The file should be accessible only by the root user or the kubelet service user.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to your EKS Cluster or Kubernetes node.

  3. Check if the kubelet's kubeconfig file exists (commonly located at /etc/kubernetes/kubelet.conf).

Ensure that the file permissions are set to 600 or more restrictive using the following command:

ls -l /etc/kubernetes/kubelet.conf

  1. Verify that the file permissions are set to rw-------, indicating that only the owner has read and write permissions.

Using AWS CLI:

  1. SSH into the Kubernetes node.

Run the following command to check the file permissions of the kubelet's kubeconfig file:

ls -l /etc/kubernetes/kubelet.conf

  1. Ensure that the file permissions are set to 600 or more restrictive.

Implementation Plan

Using AWS Console:

  1. Access the EKS node or Kubernetes worker node.

  2. Navigate to the directory containing the kubelet's kubeconfig file (typically /etc/kubernetes/).

Change the file permissions of the kubelet's kubeconfig file to 600:

sudo chmod 600 /etc/kubernetes/kubelet.conf

Using AWS CLI:

  1. SSH into the Kubernetes node where the kubelet's kubeconfig file is located.

Set the file permissions to 600:

sudo chmod 600 /etc/kubernetes/kubelet.conf

Backout Plan

Using AWS Console:

  1. Navigate to the node and revert the file permissions to the previous state (e.g., 644 if necessary).

  2. Verify that the change has been applied.

Using AWS CLI:

If necessary, revert the file permissions using:

sudo chmod 644 /etc/kubernetes/kubelet.conf

References:

  • Kubernetes Kubelet Documentation
    Linux chmod Command