Profile applicability: Level 1 - Master Node
Use individual service account credentials for each controller.
The controller manager creates a service account per controller in the
kube-system namespace, generates a credential for it, and builds a dedicated
API client with that service account credential for each controller loop to use. Setting
the
--use-service-account-credentials to true runs each control
loop within the controller manager using a separate service account credential. When
used in
combination with RBAC, this ensures that the control loops run with the minimum permissions
required to perform their intended tasks. |
NoteBy default,
--use-service-account-credentials is set to
false. |
Impact
Whatever authorizer is configured for the cluster, it must grant sufficient permissions
to the
service accounts to perform their intended tasks. When using the RBAC authorizer,
those roles
are created and bound to the appropriate service accounts in the
kube-system
namespace automatically with default roles and rolebindings that are auto- reconciled
on
startup.If using other authorization methods (ABAC, Webhook, etc), the cluster deployer is
responsible
for granting appropriate permissions to the service accounts (the required permissions
can be
seen by inspecting the
controller-roles.yaml and
controller-role-bindings.yaml files for the RBAC roles.Audit
Run the following command on the Control Plane node:
ps -ef | grep kube-controller-manager
Verify that the
--use-service-account-credentials argument is set to
true.Remediation
Edit the Controller Manager pod specification file
/etc/kubernetes/manifests/kube-controller-manager.yaml on the Control Plane
node to set the below parameter.--use-service-account-credentials=true