Detections
Analytics
CNTR-R2-000030 - RKE2 must use a centralized user management solution to support account management functions.
Information
The Kubernetes Controller Manager is a background process that embeds core control loops regulating cluster system state through the API Server. Every process executed in a pod has an associated service account. By default, service accounts use the same credentials for authentication. Implementing the default settings poses a high risk to the Kubernetes Controller Manager. Setting the use-service-account-credential value lowers the attack surface by generating unique service accounts settings for each controller instance.Solution
Edit the RKE2 Configuration File /etc/rancher/rke2/config.yaml on the RKE2 Control Plane and set the following "kube-controller-manager-arg" argument:- use-service-account-credentials=true
Once the configuration file is updated, restart the RKE2 Server. Run the command:
systemctl restart rke2-server
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RGS_RKE2_V2R5_STIG.zip
Item Details
Audit Name: DISA Rancher Government Solutions RKE2 STIG v2r5
Category: ACCESS CONTROL
References: 800-53|AC-2(1), CAT|II, CCI|CCI-000015, Rule-ID|SV-254554r1043176_rule, STIG-ID|CNTR-R2-000030, Vuln-ID|V-254554
Plugin: Unix
Control ID: e28b273f245687da8a6917e2af0a76db05c384693e65dbe3abccad425861cc03