3.1.3 - Ensure that the azure.json file has permissions set to 644 or more restrictive (Automated)

Views:

Profile applicability: Level 1

The azure.json file in an Azure Kubernetes Service (AKS) cluster is a configuration file used by the Kubernetes cloud provider integration for Azure. This file contains essential details that allow the Kubernetes cluster to interact with Azure resources effectively. It is part of the Azure Cloud Provider configuration, enabling Kubernetes components to communicate with Azure services for features like load balancers, storage, and networking.

Ensure the file has permissions of 644 or more restrictive.

The azure.json file in AKS structure typically includes:

Tenant ID: The Azure Tenant ID where the AKS cluster resides.
Subscription ID: The Azure Subscription ID used for billing and resource management.
AAD Client ID: The Azure Active Directory (AAD) application client ID used by the Kubernetes cloud provider to interact with Azure resources.
AAD Client Secret: The secret for the AAD application.
Resource Group: The name of the resource group where the AKS cluster resources are located.
Location: The Azure region where the AKS cluster is deployed.
VM Type: Specifies the type of VMs used by the cluster (e.g., standard VMs or Virtual Machine Scale Sets).
Subnet Name, Security Group Name, Vnet Name, and Vnet Resource Group: Networking details for the cluster.
Route Table Name: The name of the route table for the cluster.
Storage Account Type: The default type of storage account to use for Kubernetes persistent volumes.

Note

See the Azure AKS documentation for the default value.

Audit

Method 1

SSH to the relevant worker node.
Enter the following command to check if the Kubelet Service is running:
```
sudo systemctl status kubelet
```
The output should return Active: active (running).
Run the following command on each node to find the appropriate Kubelet config file:
```
ps -ef | grep kubelet
```
The output should return something similar to --config /etc/kubernetes/azure.json, which is the location of the Kubelet config file.
Run the following command:
```
stat -c %a /etc/kubernetes/azure.json
```
Verify that the permissions are 644 or more restrictive.

Method 2

Create and Run a Privileged Pod

Run a pod that is privileged enough to access the host's file system. To do this, deploy a pod that uses the hostPath volume to mount the node's file system into the pod.

An example of a simple pod definition that mounts the root of the host to /host within the pod:
```
apiVersion: v1
kind: Pod
metadata:
  name: file-check
spec:
  volumes:
  - name: host-root
    hostPath:
      path: /
      type: Directory
  containers:
  - name: nsenter
    image: busybox
    command: ["sleep", "3600"]
    volumeMounts:
    - name: host-root
      mountPath: /host
    securityContext:
      privileged: true
```
Save this to a file (e.g., file-check-pod.yaml) and create the pod:
```
kubectl apply -f file-check-pod.yaml
```
Once the pod is running, exec into it to check file permissions on the node:
```
kubectl exec -it file-check -- sh
```
Now you are in a shell inside the pod, but you can access the node's file system through the /host directory and check the permission level of the file:
```
ls -l /host/etc/kubernetes/azure.json
```
Verify that if a file is specified and it exists, the permissions are 644 or more restrictive.

Remediation

Run the following command (using the config file location identified in the Audit step):

chmod 644 /etc/kubernetes/azure.json