3.1.4 - Ensure that the kubelet configuration file ownership is set to root:root (Automated)

1. SSH to the relevant worker nodes.
2. Enter the following command to check to see if the Kubelet Service is running:

   sudo systemctl status kubelet

   The output should return Active: active (running) since...
3. Run the following command on each node to find the appropriate Kubelet config file:

   ps -ef | grep kubelet

   The output of the above command should return something similar to --config/etc/kubernetes/kubelet/kubelet-config.json, which is the location of the Kubelet config file.
4. Run this command to obtain the Kubelet config file's ownership:

   stat -c %U:%G /etc/kubernetes/kubelet/kubelet-config.json

5. Verify that the ownership is set to root:root.

1. Run a pod that is privileged enough to access the host's file system. To do this, deploy a pod that uses the hostPath volume to mount the node's file system into the pod.
   An example of a simple pod definition that mounts the root of the host to /host within the pod:

   apiVersion: v1
   kind: Pod
   metadata:
     name: file-check
   spec:
     volumes:
     - name: host-root
       hostPath:
         path: /
         type: Directory
     containers:
     - name: nsenter
       image: busybox
       command: ["sleep", "3600"]
       volumeMounts:
       - name: host-root
         mountPath: /host
       securityContext:
         privileged: true

2. Save this to a file (e.g., file-check-pod.yaml) and create the pod:

   kubectl apply -f file-check-pod.yaml

3. Once the pod is running, exec into it to check file ownership on the node:

   kubectl exec -it file-check -- sh

4. Now you are in a shell inside the pod, but you can access the node's file system through the /host directory and check the azure.json file's ownership:

   ls -l /host/etc/kubernetes/kubelet/kubelet-config.json

5. Verify that the ownership is set to root:root.

chown root:root /etc/kubernetes/kubelet/kubelet-config.json