Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The Kubernetes Controller Manager must create unique service accounts for each work payload.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-242381 | CNTR-K8-000220 | SV-242381r712499_rule | High |
| Description |
|---|
| The Kubernetes Controller Manager is a background process that embeds core control loops regulating cluster system state through the API Server. Every process executed in a pod has an associated service account. By default, service accounts use the same credentials for authentication. Implementing the default settings poses a High risk to the Kubernetes Controller Manager. Setting the use-service-account-credential value lowers the attack surface by generating unique service accounts settings for each controller instance. |
| STIG | Date |
|---|---|
| Kubernetes Security Technical Implementation Guide | 2021-04-14 |
Details
| Check Text ( C-45656r712497_chk ) |
|---|
| Change to the /etc/kubernetes/manifests directory on the Kubernetes Master Node. Run the command: grep -i use-service-account-credential * If the setting use-service-account-credential is not configured in the Kubernetes Controller Manager manifest file or it is set to "false", this is a finding. |
| Fix Text (F-45614r712498_fix) |
|---|
| Edit the Kubernetes Controller Manager manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the value of "use-service-account-credential" to "true". |