iCompaas Support

Profile Applicability:

• Level 1

Description:
This check ensures that the config.yaml file used by the kubelet has the correct file ownership set to root:root. This ensures that only the root user and group have access to modify the kubelet's configuration, which is critical for maintaining cluster security and preventing unauthorized configuration changes.

Rationale:
File ownership control is an important aspect of security. By ensuring that only the root user and group can modify the config.yaml file, this setting reduces the risk of unauthorized users altering the Kubernetes configuration, potentially compromising the cluster's security.

Impact:

Pros:

• Helps prevent unauthorized modification of the kubelet's configuration.

• Ensures better control over access to the critical Kubernetes configuration file.

Cons:

• Requires appropriate management of file ownership, especially in environments with many users or automated processes that interact with the file.

Default Value:
By default, the kubelet’s config.yaml file may have permissions that allow broader access. This check enforces more restrictive ownership for added security.

Pre-requisites:

• The config.yaml file for kubelet must exist.

• Access to the Kubernetes node file system to verify file ownership.

Test Plan:

Using AWS Console:

1. Access the Kubernetes node using the Azure Portal.
   

2. Check the ownership of the config.yaml file used by the kubelet to ensure it is set to root:root.
   

Using AWS CLI:

1. SSH into the node where the kubelet is running.
   

Run the following command to check the file ownership:

ls -l /etc/kubernetes/kubelet/config.yaml

2. Ensure that the file ownership is root:root.
   

Implementation Plan

Using AWS Console:

1. Access the Kubernetes node from the Azure Portal.
   

2. Navigate to the config.yaml file used by the kubelet.
   

Set the ownership of the file to root:root:

sudo chown root:root /etc/kubernetes/kubelet/config.yaml

Using AWS CLI:

1. SSH into the Kubernetes node where the kubelet is running.
   

Change the file ownership using the following command:

sudo chown root:root /etc/kubernetes/kubelet/config.yaml

Backout Plan:

Using AWS Console:

If the change causes issues, revert the ownership of the config.yaml file to its previous state:

sudo chown <previous_owner>:<previous_group> /etc/kubernetes/kubelet/config.yaml

Using AWS CLI:

If necessary, revert the ownership to the previous setting by running:

sudo chown <previous_owner>:<previous_group> /etc/kubernetes/kubelet/config.yaml

References:

• CIS Kubernetes Benchmark v1.7.0

• Kubernetes Official Documentation