Profile Applicability:
Level 1
Description:
The kubeconfig file contains credentials, cluster configuration, and authentication information required to interact with the Kubernetes API server. For security purposes, if a proxy kubeconfig file exists (typically used to configure access to a Kubernetes cluster through a proxy), it is crucial that the file's permissions are set to 600 or more restrictive. This ensures that only the owner has read and write access to the file, protecting sensitive information from unauthorized access.
Rationale:
Kubeconfig files contain sensitive information, including tokens, client certificates, and API server addresses. If the file is not properly secured, unauthorized users could gain access to the Kubernetes cluster. By setting the file permissions to 600, you ensure that only the owner (typically the root user) can read and modify the file, mitigating the risk of credential theft and unauthorized cluster access.
Impact:
Pros:
Enhances the security of the kubeconfig file by restricting access to only the owner.
Prevents unauthorized users from reading or modifying sensitive cluster access credentials.
Cons:
If misconfigured, legitimate users with necessary access may be unable to use the proxy kubeconfig file.
Default Value:
The default permissions for kubeconfig files are often set to 644 (readable by others), which is not secure enough. Thus, this check is important for enhancing security.
Pre-requisites:
The proxy kubeconfig file must exist and be located in the appropriate directory (typically ~/.kube/config or another custom path).
The file must be accessible only to the user who needs to interact with the Kubernetes cluster.
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to your Kubernetes worker node.
Check if the proxy kubeconfig file exists (commonly located at ~/.kube/config or a custom location).
Ensure that the file permissions are set to 600 or more restrictive using the following command:
ls -l ~/.kube/config
Verify that the file has rw------- permissions, indicating that only the owner can read and write the file.
Using AWS CLI:
SSH into the Kubernetes node.
Run the following command to check the permissions of the proxy kubeconfig file:
ls -l ~/.kube/config
Ensure that the permissions are 600 or more restrictive.
Implementation Plan
Using AWS Console:
Access the Kubernetes node where the proxy kubeconfig file is located.
Verify the file's permissions with the following command:
ls -l ~/.kube/config
If the permissions are not set to 600 or more restrictive, set the file permissions:
chmod 600 ~/.kube/config
Using AWS CLI:
SSH into the Kubernetes node.
Check if the proxy kubeconfig file exists:
ls -l ~/.kube/config
If the permissions are incorrect, update the permissions:
sudo chmod 600 ~/.kube/config
Backout Plan
Using AWS Console:
Navigate to the Kubernetes node.
If there are any issues, revert the permissions to the previous setting:
chmod 644 ~/.kube/config
Verify that the change has been applied and that the file is accessible.
Using AWS CLI:
If necessary, revert the permissions using:
sudo chmod 644 ~/.kube/config
Ensure that the kubeconfig file is accessible and working properly.
References:
Kubernetes Kubeconfig Documentation
Kubernetes Security Best Practices