Controller Manager

1.3 Controller Manager

1.3.1 Ensure that garbage collection is configured as appropriate (Manual)

Recommended Action

To configure, follow the directions in Configuring garbage collection for containers and images https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring

1.3.2 Ensure that controller manager healthz endpoints are protected by RBAC (Manual)

Recommended Action

None required; profiling is protected by RBAC.

1.3.3 Ensure that the –use-service-account-credentials argument is set to true (Manual)

Recommended Action

The OpenShift Controller Manager operator manages and updates the OpenShift Controller Manager. The Kubernetes Controller Manager operator manages and updates the Kubernetes Controller Manager deployed on top of OpenShift. This operator is configured via KubeControllerManager custom resource.

1.3.4 Ensure that the –service-account-private-key-file argument is set as appropriate (Manual)

Recommended Action

None required. OpenShift manages the service account credentials for the scheduler automatically.

1.3.5 Ensure that the –root-ca-file argument is set as appropriate (Manual)

Recommended Action

None required. Certificates for OpenShift platform components are automatically created and rotated by the OpenShift Container Platform.

1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Manual)

Recommended Action

None required. Certificates for OpenShift platform components are automatically created and rotated by the OpenShift Container Platform.

1.3.7 Ensure that the –bind-address argument is set to 127.0.0.1 (Manual)

Recommended Action

Edit the Controller Manager pod specification file $controllermanagerconf on the master node and ensure the correct value for the –bind-address parameter