UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

RKE2 must use a centralized user management solution to support account management functions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-254554 CNTR-R2-000030 SV-254554r918252_rule Medium
Description
The Kubernetes Controller Manager is a background process that embeds core control loops regulating cluster system state through the API Server. Every process executed in a pod has an associated service account. By default, service accounts use the same credentials for authentication. Implementing the default settings poses a high risk to the Kubernetes Controller Manager. Setting the use-service-account-credential value lowers the attack surface by generating unique service accounts settings for each controller instance.
STIG Date
Rancher Government Solutions RKE2 Security Technical Implementation Guide 2023-11-30

Details

Check Text ( C-58038r859230_chk )
Ensure use-service-account-credentials argument is set correctly.

Run this command on the RKE2 Control Plane:
/bin/ps -ef | grep kube-controller-manager | grep -v grep

If --use-service-account-credentials argument is not set to "true" or is not configured, this is a finding.
Fix Text (F-57987r918225_fix)
Edit the RKE2 Configuration File /etc/rancher/rke2/config.yaml on the RKE2 Control Plane and set the following "kube-controller-manager-arg" argument:
- use-service-account-credentials=true

Once the configuration file is updated, restart the RKE2 Server. Run the command:
systemctl restart rke2-server