Configure the Service Account Public Key for the API Server
An XCCDF Rule
Description
To ensure the API Server utilizes its own key pair,
edit the openshift-kube-apiserver configmap
and set the serviceAccountPublicKeyFiles parameter to the public
key file for service accounts:
... "serviceAccountPublicKeyFiles":[ "/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs" ], ...
warning alert: Warning
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-
{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}API endpoint, filter with with thejqutility using the following filter{{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}}and persist it to the local
Rationale
By default if no service-account-key-file is specified
to the apiserver, it uses the private key from the TLS serving
certificate to verify service account tokens. To ensure that the
keys for service account tokens are rotated as needed, a
separate public/private key pair should be used for signing service
account tokens.
- ID
- xccdf_org.ssgproject.content_rule_api_server_service_account_public_key
- Severity
- Medium
- References
- Updated