Ensure that use-service-account-credentials is enabled
An XCCDF Rule
Description
To ensure individual service account credentials are used,
set the use-service-account-credentials option to true
in the openshift-kube-controller-manager configmap on the master
node(s):
"extendedArguments": {
...
"use-service-account-credentials": [
"true"
],
...
warning alert: Warning
-
{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config{{end}}API endpoint, filter with with thejqutility using the following filter{{if ne .hypershift_cluster "None"}}[[.items[0].spec.containers[0].args[] | select(. | match("--use-service-account-credentials=true") )] | length | if . ==1 then true else false end]{{else}}[.data."config.yaml" | fromjson | if .extendedArguments["use-service-account-credentials"][]=="true" then true else false end]{{end}}and persist it to the local
Rationale
The controller manager creates a service account per controller in
kube-system namespace, generates an API token and credentials for it,
then builds a dedicated API client with that service account credential
for each controller loop to use. Setting the
use-service-account-credentials to true runs each
control loop within the controller manager using a separate service
account credential. When used in combination with RBAC, this ensures
that the control loops run with the minimum permissions required to
perform their intended tasks.
- ID
- xccdf_org.ssgproject.content_rule_controller_use_service_account
- Severity
- Medium
- References
- Updated