Ensure the --service-account-private-key-file argument for controller managers is set appropriately

Error: The --service-account-private-key-file argument for controller managers is not set appropriately

Bridgecrew Policy ID: BC_K8S_83
Checkov Check ID: CKV_K8S_110
Severity: HIGH

The --service-account-private-key-file argument for controller managers is not set appropriately

Description

Explicitly set a service account private key file for service accounts on the controller manager. To ensure that keys for service account tokens can be rotated as needed, a separate public/private key pair should be used for signing service account tokens. The private key should be specified to the controller manager with --service-account-private-key-file as appropriate.

Fix - Buildtime

Kubernetes

  • Kind: Pod
apiVersion: v1
  kind: Pod
  metadata:
    creationTimestamp: null
    labels:
      component: kube-controller-manager
      tier: control-plane
    name: kube-controller-manager
    namespace: kube-system
  spec:
    containers:
    - command:
      - kube-controller-manager
+     -  --service-account-private-key-file=public.pem
      image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0