UCF STIG Viewer Logo

The Kubernetes Controller Manager must create unique service accounts for each work payload.


Overview

Finding ID Version Rule ID IA Controls Severity
V-242381 CNTR-K8-000220 SV-242381r712499_rule High
Description
The Kubernetes Controller Manager is a background process that embeds core control loops regulating cluster system state through the API Server. Every process executed in a pod has an associated service account. By default, service accounts use the same credentials for authentication. Implementing the default settings poses a High risk to the Kubernetes Controller Manager. Setting the use-service-account-credential value lowers the attack surface by generating unique service accounts settings for each controller instance.
STIG Date
Kubernetes Security Technical Implementation Guide 2021-04-14

Details

Check Text ( C-45656r712497_chk )
Change to the /etc/kubernetes/manifests directory on the Kubernetes Master Node. Run the command:

grep -i use-service-account-credential *

If the setting use-service-account-credential is not configured in the Kubernetes Controller Manager manifest file or it is set to "false", this is a finding.
Fix Text (F-45614r712498_fix)
Edit the Kubernetes Controller Manager manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the value of "use-service-account-credential" to "true".