Ensure that the kubeadmin secret has been removed

An XCCDF Rule

Description

The kubeadmin user is meant to be a temporary user used for bootstrapping purposes. It is preferable to assign system administrators whose users are backed by an Identity Provider.
Make sure to remove the user as described in the documentation

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /api/v1/namespaces/kube-system/secrets/kubeadmin API endpoint to the local /api/v1/namespaces/kube-system/secrets/kubeadmin file.

Rationale

The kubeadmin user has an auto-generated password and a self-signed certificate, and has effectively

cluster-admin

permissions; therefore, it's considered a security liability.

ID: xccdf_org.ssgproject.content_rule_kubeadmin_removed
Severity: Medium
References: CIP-004-6 R2.2.2 CIP-004-6 R2.2.3 CIP-007-3 R.1.3 CIP-007-3 R2 CIP-007-3 R5 CIP-007-3 R5.1.1 CIP-007-3 R5.1.3 CIP-007-3 R5.2.1 CIP-007-3 R5.2.3 CIP-007-3 R6.1 CIP-007-3 R6.2 CIP-007-3 R6.3 CIP-007-3 R6.4

AC-12(1) AC-2(10) AC-2(2) AC-2(7) AC-2(9) IA-2(5) MA-4 SC-12(1)

Req-2.1

SRG-APP-000023-CTR-000055

3.1.1 5.1.1

CCE-90387-2
Updated: about 1 year ago