Profile Applicability:
Level 1
Description:
Ensure that the --use-service-account-credentials argument is set to true in the Kubernetes API server configuration. This argument enables the use of service account credentials for authenticating and authorizing API requests in the Kubernetes cluster, allowing Kubernetes to automatically associate service account credentials with their respective resources.
Rationale:
Setting the --use-service-account-credentials argument to true ensures that Kubernetes uses service account credentials to authenticate and authorize service accounts for their operations. This enhances security and ensures that only authorized services and applications can access Kubernetes resources, following the principle of least privilege.
Impact:
Pros:
Enables Kubernetes to manage service account authentication automatically, improving security and simplifying access control.
Ensures that service accounts are properly authorized to access resources.
Reduces the risk of unauthorized access by associating credentials with the relevant service accounts.
Cons:
Requires proper management of service account credentials, which could add complexity to the Kubernetes configuration.
If misconfigured, it could lead to failed authentication and authorization, causing service disruptions.
Default Value:
By default, the --use-service-account-credentials argument may not be set. It needs to be explicitly configured to enable service account credential management.
Pre-Requisites:
Access to the Kubernetes API server configuration.
Sufficient privileges (root or administrator access) to modify the API server flags.
A Kubernetes environment with service accounts and proper access control in place.
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Open the Amazon Elastic Kubernetes Service (EKS) console.
Navigate to the "Clusters" section and locate your cluster.
Review the settings for the --use-service-account-credentials argument in the API server configuration.
Ensure that the --use-service-account-credentials argument is set to true.
Using AWS CLI:
Retrieve the configuration for the Kubernetes API server:
kubectl get deployment -n kube-system kube-apiserver -o yaml
Check for the presence of the --use-service-account-credentials argument in the API server arguments section:
- --use-service-account-credentials=true
Ensure that the --use-service-account-credentials argument is set to true. If it is not, update the configuration to enable service account credentials usage.
Implementation Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Open the EKS service and navigate to your cluster.
Review the cluster's configuration for the --use-service-account-credentials argument.
If the argument is missing or set to false, update the API server configuration to set --use-service-account-credentials=true.
Save and apply the changes to the Kubernetes API server configuration.
Using AWS CLI:
Modify the API server deployment by adding or updating the --use-service-account-credentials=true argument:
kubectl edit deployment -n kube-system kube-apiserver
In the deployment YAML, locate the command section under the spec for the kube-apiserver container.
Add or update the following line to set the argument:
- --use-service-account-credentials=true
Save and exit the editor to apply the changes.
Backout Plan:
Using AWS Console:
Sign in to the AWS Console.
Open the EKS service and navigate to your cluster.
Locate the API server configuration.
If necessary, revert the change by setting the --use-service-account-credentials argument to false or removing it entirely.
Save and apply the changes to the Kubernetes API server configuration.
Using AWS CLI:
To revert the change, edit the API server deployment to set the --use-service-account-credentials argument to false:
kubectl edit deployment -n kube-system kube-apiserver
Update the deployment YAML to include --use-service-account-credentials=false if needed.
Save and exit the editor to apply the changes.
References:
Kubernetes API Server Configuration