1.3.3 Ensure that the --use-service-account-credentials argument is set to true

Information

Use individual service account credentials for each controller.

Rationale:

The controller manager creates a service account per controller in the 'kube-system' namespace, generates a credential for it, and builds a dedicated API client with that service account credential for each controller loop to use. Setting the '--use-service-account-credentials' to 'true' runs each control loop within the controller manager using a separate service account credential. When used in combination with RBAC, this ensures that the control loops run with the minimum permissions required to perform their intended tasks.

Solution

Edit the Controller Manager pod specification file '/etc/kubernetes/manifests/kube-controller-manager.yaml' on the master node to set the below parameter.

--use-service-account-credentials=true

Impact:

Whatever authorizer is configured for the cluster, it must grant sufficient permissions to the service accounts to perform their intended tasks. When using the RBAC authorizer, those roles are created and bound to the appropriate service accounts in the 'kube-system' namespace automatically with default roles and rolebindings that are auto-reconciled on startup.

If using other authorization methods (ABAC, Webhook, etc), the cluster deployer is responsible for granting appropriate permissions to the service accounts (the required permissions can be seen by inspecting the 'controller-roles.yaml' and 'controller-role-bindings.yaml' files for the RBAC roles.

See Also

https://workbench.cisecurity.org/files/2125

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv6|14

Plugin: Unix

Control ID: d4b6c302b1d4db2534204498c1bc9c43c548f3966dd94e7a2f750a2ee9f3aee1