The Kubernetes Controller Manager must create unique service accounts for each work payload.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-242381 | CNTR-K8-000220 | SV-242381r1043176_rule | CCI-000015 | high |
| Description | ||||
| The Kubernetes Controller Manager is a background process that embeds core control loops regulating cluster system state through the API Server. Every process executed in a pod has an associated service account. By default, service accounts use the same credentials for authentication. Implementing the default settings poses a High risk to the Kubernetes Controller Manager. Setting the "--use-service-account-credential" value lowers the attack surface by generating unique service accounts settings for each controller instance. | ||||
| STIG | Date | |||
| Kubernetes Security Technical Implementation Guide | 2025-05-16 | |||
Details
Check Text (C-242381r1043176_chk)
Change to the /etc/kubernetes/manifests directory on the Kubernetes Control Plane. Run the command:
grep -i use-service-account-credentials *
If the setting "--use-service-account-credentials" is not configured in the Kubernetes Controller Manager manifest file or it is set to "false", this is a finding.
Fix Text (F-45614r927076_fix)
Edit the Kubernetes Controller Manager manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Control Plane.
Set the value of "--use-service-account-credentials" to "true".