Check: CNTR-K8-000220
Kubernetes STIG:
CNTR-K8-000220
(in versions v1 r10 through v1 r7)
Title
The Kubernetes Controller Manager must create unique service accounts for each work payload. (Cat I impact)
Discussion
The Kubernetes Controller Manager is a background process that embeds core control loops regulating cluster system state through the API Server. Every process executed in a pod has an associated service account. By default, service accounts use the same credentials for authentication. Implementing the default settings poses a High risk to the Kubernetes Controller Manager. Setting the use-service-account-credential value lowers the attack surface by generating unique service accounts settings for each controller instance.
Check Content
Change to the /etc/kubernetes/manifests directory on the Kubernetes Control Plane. Run the command: grep -i use-service-account-credentials * If the setting use-service-account-credentials is not configured in the Kubernetes Controller Manager manifest file or it is set to "false", this is a finding.
Fix Text
Edit the Kubernetes Controller Manager manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Control Plane. Set the value of "use-service-account-credentials" to "true".
Additional Identifiers
Rule ID: SV-242381r879522_rule
Vulnerability ID: V-242381
Group Title: SRG-APP-000023-CTR-000055
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000015 |
Support the management of system accounts using organization-defined automated mechanisms. |
Controls
Number | Title |
---|---|
AC-2(1) |
Automated System Account Management |