Controller Manager

3 Controller Manager

3.1 Adjust the terminated-pod-gc-threshold argument as needed

Recommended Action

Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable terminated-pod-gc-threshold.

kubernetesMasterConfig:  controllerArguments:     terminated-pod-gc-threshold:    - true

Enabling the “terminated-pod-gc-threshold” settings is optional.

3.2 Verify that Controller profiling is not exposed to the web

Recommended Action

3.3 Verify that the –use-service-account-credentials argument is set to true

Recommended Action

Edit the Openshift master config file /etc/origin/master/master-config.yaml and set use-service-account-credentials to true under controllerArguments section.

kubernetesMasterConfig:  controllerArguments:     use-service-account-credentials:     - true

3.4 Verify that the –service-account-private-key-file argument is set as appropriate

Recommended Action

Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove service-account-private-key-file

3.5 Verify that the –root-ca-file argument is set as appropriate

Recommended Action

Reset to OpenShift defaults OpenShift starts kube-controller-manager with root-ca-file=/etc/origin/master/ca-bundle.crt by default. OpenShift Advanced Installation creates this certificate authority and configuration without any configuration required.

https://docs.openshift.com/container-platform/3.10/admin_guide/service_accounts.html"

3.6 Verify that Security Context Constraints are applied to Your Pods and Containers

Recommended Action

3.7 Manage certificate rotation

Recommended Action

If you decide not to enable the RotateKubeletServerCertificate feature, be sure to use the Ansible playbooks provided with the OpenShift installer to automate re-deploying certificates.