Details
Explicitly set a service account private key file for service accounts on the controller manager.
Rationale:
To ensure that keys for service account tokens can be rotated as needed, a separate public/private key pair should be used for signing service account tokens. The private key should be specified to the controller manager with `–service-account-private-key-file` as appropriate.
Solution
Edit the `/etc/kubernetes/controller-manager` file on the master node and set the `KUBE_CONTROLLER_MANAGER_ARGS` parameter to `–service-account-private-key-file=`: `KUBE_CONTROLLER_MANAGER_ARGS=’–service-account-private-key-file=’`
Based on your system, restart the `kube-controller-manager` service. For example: `systemctl restart kube-controller-manager.service`
Impact:
You would need to securely maintain the key file and rotate the keys based on your organization’s key rotation policy.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Unix.