UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The kubeadmin account must be disabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-257508 CNTR-OS-000040 SV-257508r921467_rule Medium
Description
Using a centralized user management solution for account management functions enhances security, simplifies administration, improves user experience, facilitates compliance, and provides scalability and integration capabilities. It is a foundational element of effective identity and access management practices. OpenShift supports several different types of identity providers. To add users and grant access to OpenShift, an identity provider needs to be configured. Some of the identity provider types, such as HTPassword, only provide simple user management and are not intended for production. Other types are public services, like GitHub. These provider types may not be appropriate as they are managed by public service providers and therefore are unable to enforce the organizations account management requirements. After a new install, the default authentication uses kubeadmin as the default cluster-admin account. This default account must be disabled and another user account must be given cluster-admin rights.
STIG Date
Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide 2023-08-28

Details

Check Text ( C-61243r921465_chk )
Verify the kubeadmin account is disabled by executing the following:

oc get secrets kubeadmin -n kube-system

If the command returns an error, the secret was not found, and this is not a finding.

(Example output:
Error from server (NotFound): secrets "kubeadmin" not found)

If the command returns a listing that includes the kubeadmin secret, its type, the data count, and age, this is a finding.

(Example Output for not a finding:
NAME TYPE DATA AGE
kubeadmin Opaque 1 6h3m)
Fix Text (F-61167r921466_fix)
If an alternative IDP is already configured and an administrative user exists with the role of cluster-admin, disable the kubeadmin account by running the following command as a cluster administrator:

oc delete secrets kubeadmin -n kube-system