Profile applicability: Level 1 - Master Node
Explicitly set a service account private key file for service accounts on the controller
manager.
To ensure that keys for service account tokens can be rotated as needed, a separate
public/private key pair should be used for signing service account tokens. The private
key should
be specified to the controller manager with
--service-account-private-key-file
as appropriate. |
NoteBy default,
--service-account-private-key-file it not set. |
Impact
You would need to securely maintain the key file and rotate the keys based on your
organization's key rotation policy.
Audit
Run the following command on the Control Plane node:
ps -ef | grep kube-controller-manager
Verify that the
--service-account-private-key-file argument is set as
appropriate.Remediation
Edit the Controller Manager pod specification file
/etc/kubernetes/manifests/kube-controller-manager.yaml on the Control Plane
node and set the --service-account-private-key-file parameter to the private
key file for service accounts.--service-account-private-key-file=<filename>