3.1.3 - Ensure that the kubelet configuration file has permissions set to 644 (Automated)

Views:

Profile applicability: Level 1

Ensure that if the kubelet configuration file exists, it has permissions of 644.

The kubelet reads various parameters, including security settings, from a config file specified by the --config argument. If this file exists, you should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.

Note

The default permissions for the kubelet configuration file are 600.

Impact

Overly permissive file access increases the security risk to the platform.

Audit

Using Google Cloud Console

Go to Kubernetes Engine by visiting Google Cloud Console Kubernetes Engine page.
Click on the desired cluster to open the Details page, then click on the desired Node pool to open the Node pool Details page. 3.
Note the name of the desired node
Go to VM Instances by visiting Google Cloud Console VM Instances page
Find the desired node and click on 'SSH' to open an SSH connection to the node.

Using Command Line

Method 1

First, SSH to the relevant worker node.

To check to see if the kubelet service is running:

sudo systemctl status kubelet

The output should return Active: active (running) since..

Run the following command on each node to find the appropriate Kubelet config file:

ps -ef | grep kubelet

The output of the above command should return something similar to --config /etc/kubernetes/kubelet-config.yaml which is the location of the Kubelet config file.

Run the following command:

stat -c %a /etc/kubernetes/kubelet-config.yaml

The output of the above command is the kubelet config file's permissions. Verify that the permissions are 644 or more restrictive.

Method 2

Create and Run a Privileged Pod.

You will need to run a pod that is privileged enough to access the host's file system. This can be achieved by deploying a pod that uses the hostPath volume to mount the node's file system into the pod.

Here's an example of a simple pod definition that mounts the root of the host to /host within the pod:

apiVersion: v1 kind: Pod metadata: name: file-check spec: volumes: - name: host-root hostPath: path: / type: Directory containers: - name: nsenter image: busybox command: ["sleep", "3600"] volumeMounts: - name: host-root mountPath: /host securityContext: privileged: true

Save this to a file (e.g., file-check-pod.yaml) and create the pod:

kubectl apply -f file-check-pod.yaml

Once the pod is running, you can exec into it to check file permissions on the node:

kubectl exec -it file-check -- sh

Now you are in a shell inside the pod, but you can access the node's file system through the /host directory and check the permission level of the file:

ls -l /host/etc/kubernetes/kubelet-config.yaml

Verify that if a file is specified and it exists, the permissions are 644 or more restrictive.

Remediation

Run the following command (using the kubelet config file location):

chmod 644 <kubelet_config_file>