Ensure the --use-service-account-credentials argument for controller managers is set to True

Error: The --use-service-account-credentials argument for controller managers is not set to True

Bridgecrew Policy ID: BC_K8S_82
Checkov Check ID: CKV_K8S_108
Severity: HIGH

The --use-service-account-credentials argument for controller managers is not set to True

Description

Use individual service account credentials for each controller. The controller manager creates a service account per controller in the kube-system namespace, generates a credential for it, and builds a dedicated API client with that service account credential for each controller loop to use. Setting the --use-service-account- credentials to true runs each control loop within the controller manager using a separate service account credential. When used in combination with RBAC, this ensures that the control loops run with the minimum permissions required to perform their intended tasks.

Fix - Buildtime

Kubernetes

  • Kind: Pod
apiVersion: v1
  kind: Pod
  metadata:
    creationTimestamp: null
    labels:
      component: kube-controller-manager
      tier: control-plane
    name: kube-controller-manager
    namespace: kube-system
  spec:
    containers:
    - command:
      - kube-controller-manager
+     -  --use-service-account-credentials=true
      image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0