UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

RKE2 must use a centralized user management solution to support account management functions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-254554 CNTR-R2-000030 SV-254554r879522_rule Medium
Description
The Kubernetes Controller Manager is a background process that embeds core control loops regulating cluster system state through the API Server. Every process executed in a pod has an associated service account. By default, service accounts use the same credentials for authentication. Implementing the default settings poses a high risk to the Kubernetes Controller Manager. Setting the use-service-account-credential value lowers the attack surface by generating unique service accounts settings for each controller instance.
STIG Date
Rancher Government Solutions RKE2 Security Technical Implementation Guide 2023-02-27

Details

Check Text ( C-58038r859230_chk )
Ensure use-service-account-credentials argument is set correctly.

Run this command on the RKE2 Control Plane:
/bin/ps -ef | grep kube-controller-manager | grep -v grep

If --use-service-account-credentials argument is not set to "true" or is not configured, this is a finding.
Fix Text (F-57987r859231_fix)
Edit the Controller Manager pod specification file /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml on the RKE2 Control Plane to set the below parameter:
--use-service-account-credentials argument=true

Once configuration file is updated, restart the RKE2 Server. Run the command:
systemctl restart rke2-server