3.1.2 - Ensure that the kubelet kubeconfig file ownership is set to root:root (Automated)

Views:

Profile applicability: Level 1

If kubelet is running, ensure that the file ownership of its kubeconfig file is set to root:root.

The kubelet kubeconfig file controls various parameters of the kubelet service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.

Note

See the Azure AKS documentation for the default value.

Audit

Method 1

SSH to the worker nodes.
Enter the following command to check if the Kubelet Service is running:
```
sudo systemctl status kubelet
```
The output should return Active: active (running) since...
Run the following command on each node to find the appropriate kubeconfig file:
```
ps -ef | grep kubelet
```
The output should return something similar to --kubeconfig /var/lib/kubelet/kubeconfig, which is the location of the kubeconfig file.
Run this command to obtain the kubeconfig file ownership:
```
stat -c %U:%G /var/lib/kubelet/kubeconfig
```
Verify that if a file is specified and it exists, the ownership is root:root.

Method 2

Create and Run a Privileged Pod

Run a pod that is privileged enough to access the host's file system. To do this, deploy a pod that uses the hostPath volume to mount the node's file system into the pod.

An example of a simple pod definition that mounts the root of the host to /host within the pod:

       apiVersion: v1
       kind: Pod
       metadata:
       name: file-check
       spec:
       volumes:
       - name: host-root
       hostPath:
       path: /
       type: Directory
       containers:
       - name: nsenter
       image: busybox
       command: ["sleep", "3600"]
       volumeMounts:
       - name: host-root
       mountPath: /host
       securityContext:
       privileged: true

Save this to a file (e.g., file-check-pod.yaml) and create the pod:
```
kubectl apply -f file-check-pod.yaml
```
Once the pod is running, exec into it to check file ownership on the node:
```
kubectl exec -it file-check -- sh
```
Now you are in a shell inside the pod, but you can access the node's file system through the /host directory and check the ownership of the file:
```
ls -l /host/var/lib/kubelet/kubeconfig
```
Verify that if a file is specified and it exists, the ownership is root root.

Remediation

Run the below command (based on the file location on your system) on each worker node:

chown root:root <kubeconfig file>