UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Kubernetes Controller Manager must create unique service accounts for each work payload.


Overview

Finding ID Version Rule ID IA Controls Severity
V-242381 CNTR-K8-000220 SV-242381r712499_rule High
Description
The Kubernetes Controller Manager is a background process that embeds core control loops regulating cluster system state through the API Server. Every process executed in a pod has an associated service account. By default, service accounts use the same credentials for authentication. Implementing the default settings poses a High risk to the Kubernetes Controller Manager. Setting the use-service-account-credential value lowers the attack surface by generating unique service accounts settings for each controller instance.
STIG Date
Kubernetes Security Technical Implementation Guide 2021-06-17

Details

Check Text ( C-45656r712497_chk )
Change to the /etc/kubernetes/manifests directory on the Kubernetes Master Node. Run the command:

grep -i use-service-account-credential *

If the setting use-service-account-credential is not configured in the Kubernetes Controller Manager manifest file or it is set to "false", this is a finding.
Fix Text (F-45614r712498_fix)
Edit the Kubernetes Controller Manager manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the value of "use-service-account-credential" to "true".