Profile Applicability:

  • Level 1

Description:

The ownership of the kubelet service file is critical for security and proper system management. The root:root ownership ensures that only the root user has control over the file, preventing unauthorized modifications by non-privileged users. The kubelet service file is responsible for controlling the kubelet process and includes sensitive configurations. Proper file ownership is essential to protect these configurations from unauthorized access or tampering.

Rationale:

Ensuring that the kubelet service file is owned by root:root minimizes the risk of unauthorized changes to the file that could compromise the Kubernetes node's security or functionality. If the file's ownership is incorrect, it may allow non-privileged users to modify the kubelet configuration, potentially leading to security vulnerabilities.

Impact:

Pros:

  • Ensures that only the root user can modify the kubelet service file, preventing unauthorized access.

  • Helps maintain the integrity of the system's configuration and security.

Cons:

  • If misconfigured, legitimate users with necessary privileges may be unable to manage the kubelet service file.

Default Value:

By default, system files like the kubelet service file should be owned by root:root on most Linux distributions.

Pre-requisites:

  • The kubelet service file should exist on the system and be located in a standard directory like /etc/systemd/system/kubelet.service.d/ or /etc/systemd/system/.

  • The system should be configured to allow for root ownership and proper file management.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to your EKS Cluster or Kubernetes node.

  3. Ensure that the kubelet service file is located at /etc/systemd/system/kubelet.service.d/ or /etc/systemd/system/.

Verify the file ownership using the following command:

ls -l /etc/systemd/system/kubelet.service.d/10-kubeadm.conf

  1.  Ensure that the file ownership is set to root:root.

Using AWS CLI:

  1. SSH into the Kubernetes node.

Run the following command to check the ownership of the kubelet service file:

ls -l /etc/systemd/system/kubelet.service.d/10-kubeadm.conf

  1. Verify that the ownership is root:root.

Implementation Plan

Using AWS Console:

  1. Access the EKS node or Kubernetes worker node.

  2. Navigate to the directory containing the kubelet service file (typically /etc/systemd/system/kubelet.service.d/ or /etc/systemd/system/).

Change the ownership of the kubelet service file to root:root:

sudo chown root:root /etc/systemd/system/kubelet.service.d/10-kubeadm.conf

Reload systemd to apply any changes:

sudo systemctl daemon-reload

Using AWS CLI:

  1. SSH into the Kubernetes node where the kubelet service file is located.

Change the ownership of the kubelet service file to root:root:

sudo chown root:root /etc/systemd/system/kubelet.service.d/10-kubeadm.conf

Reload systemd and restart the kubelet service to apply changes:

sudo systemctl daemon-reload
sudo systemctl restart kubelet

Backout Plan

Using AWS Console:

  1. Access the EKS node or Kubernetes worker node.

  2. If necessary, revert the ownership of the kubelet service file to its previous state (e.g., root:root).

  3. Reload systemd to apply the changes.

Using AWS CLI:

If issues occur, revert the ownership to root:root by running:

sudo chown root:root /etc/systemd/system/kubelet.service.d/10-kubeadm.conf

Reload systemd and restart the kubelet service:

sudo systemctl daemon-reload
sudo systemctl restart kubelet

References: