Ensure that the –use-service-account-credentials argument is set to true
| Property | |
|---|---|
| Language |  |
| Severity |  |
Description#
The kube-controller-manager is not configured to use individual service account credentials for each controller, as the –use-service-account-credentials argument is not set to true. This results in all controllers sharing the same set of credentials, reducing isolation between components.
Impact#
If exploited, this misconfiguration could allow a compromised controller to access resources or perform actions intended only for other controllers, increasing the risk of privilege escalation and lateral movement within the cluster.
Resolution#
Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the Control Plane node to set the below parameter.