Configure the Service Account Certificate Authority Key for the Controller Manager

An XCCDF Rule

Description

To ensure the API Server utilizes its own key pair, set the masterCA parameter to the public key file for service accounts in the openshift-kube-controller-manager configmap on the master node(s):

"extendedArguments": {
...
  "root-ca-file": [
    "/etc/kubernetes/static-pod-resources/configmaps/serviceaccount-ca/ca-bundle.crt"
  ],
...

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}[[.items[0].spec.containers[0].args[] | select(. | match("--root-ca-file") )] | length | if . ==1 then true else false end]{{else}}[.data."config.yaml" | fromjson | if .extendedArguments["root-ca-file"]!=null then true else false end]{{end}} and persist it to the local /api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#e27218fb5fb7cd68a9911eb2db6bf715ca959f639e56cb60f90be782ddd7fcf8 file.

Rationale

Service accounts authenticate to the API using tokens signed by a private RSA key. The authentication layer verifies the signature using a matching public RSA key. Configuring the certificate authority file ensures that the API server's signing certificates are validated.

ID: xccdf_org.ssgproject.content_rule_controller_service_account_ca
Severity: Medium
References: CIP-003-8 R4.2 CIP-003-8 R6 CIP-004-6 R3 CIP-007-3 R5.1 CIP-007-3 R6.1

CM-6 CM-6(1) SC-8 SC-8(1)

Req-2.2

SRG-APP-000516-CTR-001325

1.3.4

CCE-84244-3
Updated: over 1 year ago