Profile Applicability:

  • Level 1 

Description:

The kubelet service file is a critical configuration file that controls the kubelet service in a Kubernetes cluster. This file typically contains sensitive information such as service arguments, environment variables, and file paths.To ensure the security of the cluster, it is essential to set the file permissions of the kubelet service file to 600 or more restrictive to prevent unauthorized users from accessing or modifying the configuration file.

Rationale:

The kubelet service file contains sensitive information related to the node and cluster configuration. Setting file permissions to 600 ensures that only the owner (typically the root user) has read and write permissions, preventing unauthorized users from viewing or tampering with the kubelet configuration. This mitigates the risk of privilege escalation or unauthorized changes to the kubelet configuration, which could lead to security vulnerabilities.

Impact:

Pros:

  • Enhances security by preventing unauthorized users from accessing or modifying the kubelet configuration.

  • Helps meet security best practices by ensuring that only the root user can access the kubelet service file.

Cons:

  • If misconfigured, legitimate administrative users may be unable to read or modify the kubelet service file.

Default Value:

The default file permissions for the kubelet service file can vary based on the distribution, but they should be configured to at least 644 by default, which is not restrictive enough from a security perspective.

Pre-requisites:

  • The kubelet service file must be located on the system and accessible to the root user for modification.

  • The kubelet service file should be properly configured and not corrupted.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to your EKS Cluster or Kubernetes node.

  3. Ensure that the kubelet service file (typically located at /etc/systemd/system/kubelet.service.d/10-kubeadm.conf or /etc/systemd/system/kubelet.service) has file permissions set to 600 or more restrictive.

Using AWS CLI:

  1. SSH into the Kubernetes node.

Check the file permissions of the kubelet service file:

ls -l /etc/systemd/system/kubelet.service.d/10-kubeadm.conf

  1. Verify that the file permissions are set to 600 or more restrictive (e.g., 400).

Implementation Plan

Using AWS Console:

  1. Access the EKS node or Kubernetes worker node.

  2. Navigate to the kubelet service file's directory (/etc/systemd/system/kubelet.service.d/ or /etc/systemd/system/).

Modify the file permissions of the kubelet service file:

sudo chmod 600 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf

Reload the systemd configuration to apply changes:

sudo systemctl daemon-reload

Using AWS CLI:

  1. SSH into the Kubernetes node where the kubelet service file is located.

Set the file permissions to 600 for the kubelet service file:

sudo chmod 600 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf

Reload systemd and restart the kubelet service:

sudo systemctl daemon-reload
sudo systemctl restart kubelet

Backout Plan

Using AWS Console:

  1. Navigate to the node and revert the file permissions of the kubelet service file if necessary (e.g., to 644).

Reload the systemd configuration:

sudo systemctl daemon-reload

Using AWS CLI:

If issues occur, revert the file permissions to a more permissive setting (e.g., 644):

sudo chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf

Reload systemd and restart the kubelet service:

sudo systemctl daemon-reload
sudo systemctl restart kubelet

References: