Details
Use individual service account credentials for each controller.
Rationale:
The controller manager creates a service account per controller in the ‘kube-system’ namespace, generates a credential for it, and builds a dedicated API client with that service account credential for each controller loop to use. Setting the ‘–use-service-account-credentials’ to ‘true’ runs each control loop within the controller manager using a separate service account credential. When used in combination with RBAC, this ensures that the control loops run with the minimum permissions required to perform their intended tasks.
Solution
Edit the Controller Manager pod specification file ‘/etc/kubernetes/manifests/kube-controller-manager.yaml’ on the master node to set the below parameter.
–use-service-account-credentials=true
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.