RKE2 must use a centralized user management solution to support account management functions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-254554 | CNTR-R2-000030 | SV-254554r859232_rule | Medium |
| Description |
|---|
| The Kubernetes Controller Manager is a background process that embeds core control loops regulating cluster system state through the API Server. Every process executed in a pod has an associated service account. By default, service accounts use the same credentials for authentication. Implementing the default settings poses a high risk to the Kubernetes Controller Manager. Setting the use-service-account-credential value lowers the attack surface by generating unique service accounts settings for each controller instance. |
| STIG | Date |
|---|---|
| Rancher Government Solutions RKE2 Security Technical Implementation Guide | 2022-10-13 |
Details
| Check Text ( C-58038r859230_chk ) |
|---|
| Ensure use-service-account-credentials argument is set correctly. Run this command on the RKE2 Control Plane: /bin/ps -ef | grep kube-controller-manager | grep -v grep If --use-service-account-credentials argument is not set to "true" or is not configured, this is a finding. |
| Fix Text (F-57987r859231_fix) |
|---|
| Edit the Controller Manager pod specification file /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml on the RKE2 Control Plane to set the below parameter: --use-service-account-credentials argument=true Once configuration file is updated, restart the RKE2 Server. Run the command: systemctl restart rke2-server |