RKE2 must use a centralized user management solution to support account management functions.

An XCCDF Rule

Description

The Kubernetes Controller Manager is a background process that embeds core control loops regulating cluster system state through the API Server. Every process executed in a pod has an associated service account. By default, service accounts use the same credentials for authentication. Implementing the default settings poses a high risk to the Kubernetes Controller Manager. Setting the use-service-account-credential value lowers the attack surface by generating unique service accounts settings for each controller instance.

ID: SV-254554r1043176_rule
Version: CNTR-R2-000030
Severity: Medium
References: CCI-000015
Updated: 6 days ago

Remediation Templates

Edit the RKE2 Configuration File /etc/rancher/rke2/config.yaml on the RKE2 Control Plane and set the following "kube-controller-manager-arg" argument:
- use-service-account-credentials=true

Once the configuration file is updated, restart the RKE2 Server. Run the command:
systemctl restart rke2-server

RKE2 must use a centralized user management solution to support account management functions.

Description

Remediation Templates

A Manual Procedure