Use service account credentials not set to true
This product is not supported for your selected
Datadog site. (
).
Id: 1acd93f1-5a37-45c0-aaac-82ece818be7d
Cloud Provider: Kubernetes
Platform: Kubernetes
Severity: Medium
Category: Access Control
Learn More
Description
When running kube-controller-manager, the --use-service-account-credentials flag should be set to true. If the flag is set to false or omitted, the controller manager will not use service account credentials to authenticate to the API server, which can cause controllers to operate with incorrect or elevated permissions. This rule reports IncorrectValue when the flag is explicitly set to false and MissingAttribute when the flag is not present.
Compliant Code Examples
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0
command: ["kube-controller-manager"]
args: ["--use-service-account-credentials=true"]
restartPolicy: OnFailure
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0
command: ["kube-controller-manager","--use-service-account-credentials=true"]
args: []
restartPolicy: OnFailure
Non-Compliant Code Examples
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0
command: ["kube-controller-manager"]
args: []
restartPolicy: OnFailure
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0
command: ["kube-controller-manager","--use-service-account-credentials=false"]
args: []
restartPolicy: OnFailure
