Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-242381 | CNTR-K8-000220 | SV-242381r712499_rule | High |
Description |
---|
The Kubernetes Controller Manager is a background process that embeds core control loops regulating cluster system state through the API Server. Every process executed in a pod has an associated service account. By default, service accounts use the same credentials for authentication. Implementing the default settings poses a High risk to the Kubernetes Controller Manager. Setting the use-service-account-credential value lowers the attack surface by generating unique service accounts settings for each controller instance. |
STIG | Date |
---|---|
Kubernetes Security Technical Implementation Guide | 2021-06-17 |
Check Text ( C-45656r712497_chk ) |
---|
Change to the /etc/kubernetes/manifests directory on the Kubernetes Master Node. Run the command: grep -i use-service-account-credential * If the setting use-service-account-credential is not configured in the Kubernetes Controller Manager manifest file or it is set to "false", this is a finding. |
Fix Text (F-45614r712498_fix) |
---|
Edit the Kubernetes Controller Manager manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the value of "use-service-account-credential" to "true". |