3.1.4 - Ensure that the kubelet configuration file ownership is set to root:root (Automated)

Views:

Profile applicability: Level 1

Ensure that if the kubelet refers to a configuration file with the --config argument, that file is owned by root:root.

The kubelet reads various parameters, including security settings, from a config file specified by the --config argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.

Note

See the AWS EKS documentation for the default value.

Audit

Method 1

First, SSH to the relevant worker node.
Enter the following command to check if the Kubelet Service is running:
```
sudo systemctl status kubelet
```
The output should return Active: active (running) since...
Run the following command on each node to find the appropriate Kubelet config file:
```
ps -ef | grep kubelet
```
The output should return something similar to --config /etc/kubernetes/kubelet/config.json, which is the location of the Kubelet config file.
Run the following command:
```
stat -c %U:%G /etc/kubernetes/kubelet/config.json
```
The output of the above command is the Kubelet config file's ownership.
Verify that the ownership is set to root:root.

Method 2

Create and Run a Privileged Pod

Run a pod that is privileged enough to access the host's file system. To do this, deploy a pod that uses the hostPath volume to mount the node's file system into the pod.

An example of a simple pod definition that mounts the root of the host to /host within the pod:
```
apiVersion: v1
kind: Pod
metadata:
  name: file-check
spec:
  volumes:
  - name: host-root
    hostPath:
      path: /
      type: Directory
  containers:
  - name: nsenter
    image: busybox
    command: ["sleep", "3600"]
    volumeMounts:
    - name: host-root
      mountPath: /host
    securityContext:
      privileged: true
```
Save this to a file (e.g., file-check-pod.yaml) and create the pod:
```
kubectl apply -f file-check-pod.yaml
```
Once the pod is running, exec into it to check file ownership on the node:
```
kubectl exec -it file-check -- sh
```
Now you are in a shell inside the pod, but you can access the node's file system through the /host directory and check the ownership of the file:
```
ls -l /host/etc/kubernetes/kubelet/config.json
```
Verify that the ownership is set to root:root.

Remediation

Run the following command (using the config file location identified in the Audit step):

chown root:root /etc/kubernetes/kubelet/config.json