TF 0055 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Ensure that the --use-service-account-credentials argument is set to true
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
Description
The kube-controller-manager is not configured to use individual service account credentials for each controller, as the --use-service-account-credentials argument is not set to true. This results in all controllers sharing the same set of credentials, reducing isolation between components.
Impact
If exploited, this misconfiguration could allow a compromised controller to access resources or perform actions intended only for other controllers, increasing the risk of privilege escalation and lateral movement within the cluster.
Resolution
Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the Control Plane node to set the below parameter.