Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Compliance > Kubernetes > CIS 1.24 > Control Plane Security Configuration >

Controller Manager

N/A
Source
Kube Bench
ID
1.3
Version
cis-1.24

1.3 Controller Manager

1.3.1 Ensure that the –terminated-pod-gc-threshold argument is set as appropriate (Manual)

Edit the Controller Manager pod specification file $controllermanagerconf on the control plane node and set the –terminated-pod-gc-threshold to an appropriate threshold, for example, –terminated-pod-gc-threshold=10

1.3.2 Ensure that the –profiling argument is set to false (Automated)

Edit the Controller Manager pod specification file $controllermanagerconf on the control plane node and set the below parameter. –profiling=false

1.3.3 Ensure that the –use-service-account-credentials argument is set to true (Automated)

Edit the Controller Manager pod specification file $controllermanagerconf on the control plane node to set the below parameter. –use-service-account-credentials=true

1.3.4 Ensure that the –service-account-private-key-file argument is set as appropriate (Automated)

Edit the Controller Manager pod specification file $controllermanagerconf on the control plane node and set the –service-account-private-key-file parameter to the private key file for service accounts. –service-account-private-key-file=

1.3.5 Ensure that the –root-ca-file argument is set as appropriate (Automated)

Edit the Controller Manager pod specification file $controllermanagerconf on the control plane node and set the –root-ca-file parameter to the certificate bundle file`. –root-ca-file=<path/to/file>

1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)

Edit the Controller Manager pod specification file $controllermanagerconf on the control plane node and set the –feature-gates parameter to include RotateKubeletServerCertificate=true. –feature-gates=RotateKubeletServerCertificate=true

1.3.7 Ensure that the –bind-address argument is set to 127.0.0.1 (Automated)

Edit the Controller Manager pod specification file $controllermanagerconf on the control plane node and ensure the correct value for the –bind-address parameter

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use