V-242381—The Kubernetes Controller Manager must create unique service accounts for each work payload.
CAT I - High
CNTR-K8-000220
>Control Description
The Kubernetes Controller Manager is a background process that embeds core control loops regulating cluster system state through the API Server. Every process executed in a pod has an associated service account. By default, service accounts use the same credentials for authentication. Implementing the default settings poses a High risk to the Kubernetes Controller Manager. Setting the "--use-service-account-credential" value lowers the attack surface by generating unique service accounts settings for each controller instance.
>Check Content
Change to the /etc/kubernetes/manifests directory on the Kubernetes Control Plane.
$grep -i use-service-account-credentials *If the setting "--use-service-account-credentials" is not configured in the Kubernetes Controller Manager manifest file or it is set to "false", this is a finding.
>Remediation
Edit the Kubernetes Controller Manager manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Control Plane. Set the value of "--use-service-account-credentials" to "true".
>CCI References
Control Correlation Identifiers (CCIs) map STIG findings to NIST 800-53 controls.
>Cross-Framework Mappings
NIST SP 800-53 r5
via DISA CCI ListAsk AI
Configure your API key to use AI features.