Detections
Analytics
CNTR-K8-000220 - The Kubernetes Controller Manager must create unique service accounts for each work payload.
Information
The Kubernetes Controller Manager is a background process that embeds core control loops regulating cluster system state through the API Server. Every process executed in a pod has an associated service account. By default, service accounts use the same credentials for authentication. Implementing the default settings poses a High risk to the Kubernetes Controller Manager. Setting the '--use-service-account-credential' value lowers the attack surface by generating unique service accounts settings for each controller instance.Solution
Edit the Kubernetes Controller Manager manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Control Plane.Set the value of '--use-service-account-credentials' to 'true'.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V2R5_STIG.zip
Item Details
Audit Name: DISA STIG Kubernetes v2r5
Category: ACCESS CONTROL
References: 800-53|AC-2(1), CAT|I, CCI|CCI-000015, Rule-ID|SV-242381r1043176_rule, STIG-ID|CNTR-K8-000220, Vuln-ID|V-242381
Plugin: Unix
Control ID: fe2cedccd2bcee1afb3da059540fc7105cf0e5d07c700cd770fce61bb278cea7