Check: CNTR-R2-000030
Rancher Government Solutions RKE2 STIG:
CNTR-R2-000030
(in versions v2 r2 through v1 r1)
Title
RKE2 must use a centralized user management solution to support account management functions. (Cat II impact)
Discussion
The Kubernetes Controller Manager is a background process that embeds core control loops regulating cluster system state through the API Server. Every process executed in a pod has an associated service account. By default, service accounts use the same credentials for authentication. Implementing the default settings poses a high risk to the Kubernetes Controller Manager. Setting the use-service-account-credential value lowers the attack surface by generating unique service accounts settings for each controller instance.
Check Content
Ensure use-service-account-credentials argument is set correctly. Run this command on the RKE2 Control Plane: /bin/ps -ef | grep kube-controller-manager | grep -v grep If --use-service-account-credentials argument is not set to "true" or is not configured, this is a finding.
Fix Text
Edit the RKE2 Configuration File /etc/rancher/rke2/config.yaml on the RKE2 Control Plane and set the following "kube-controller-manager-arg" argument: - use-service-account-credentials=true Once the configuration file is updated, restart the RKE2 Server. Run the command: systemctl restart rke2-server
Additional Identifiers
Rule ID: SV-254554r960768_rule
Vulnerability ID: V-254554
Group Title: SRG-APP-000023-CTR-000055
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000015 |
Support the management of system accounts using organization-defined automated mechanisms. |
Controls
Number | Title |
---|---|
AC-2(1) |
Automated System Account Management |