Kubernetes STIG Version Comparison
Kubernetes Security Technical Implementation Guide
Comparison
There are 12 differences between versions v1 r1 (April 13, 2021) (the "left" version) and v1 r3 (Oct. 27, 2021) (the "right" version).
Check CNTR-K8-000220 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.
The regular view of the left check and right check may be easier to read.
Text Differences
Title
The Kubernetes Controller Manager must create unique service accounts for each work payload.
Check Content
Change to the /etc/kubernetes/manifests directory on the Kubernetes Master Node. Run the command: grep -i use-service-account-credential use-service-account-credentials * If the setting use-service-account-credential use-service-account-credentials is not configured in the Kubernetes Controller Manager manifest file or it is set to "false", this is a finding.
Discussion
The Kubernetes Controller Manager is a background process that embeds core control loops regulating cluster system state through the API Server. Every process executed in a pod has an associated service account. By default, service accounts use the same credentials for authentication. Implementing the default settings poses a High risk to the Kubernetes Controller Manager. Setting the use-service-account-credential value lowers the attack surface by generating unique service accounts settings for each controller instance.
Fix
Edit the Kubernetes Controller Manager manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the value of "use-service-account-credential" "use-service-account-credentials" to "true".