C-0147 - Ensure that the Controller Manager --service-account-private-key-file argument is set as appropriate





Description of the the issue

To ensure that keys for service account tokens can be rotated as needed, a separate public/private key pair should be used for signing service account tokens. The private key should be specified to the controller manager with --service-account-private-key-file as appropriate.

Related resources


What does this control test

Explicitly set a service account private key file for service accounts on the controller manager.

How to check it manually

Run the following command on the Control Plane node:

ps -ef | grep kube-controller-manager

Verify that the --service-account-private-key-file argument is set as appropriate.


Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the Control Plane node and set the --service-account-private-key-file parameter to the private key file for service accounts.


Impact Statement

You would need to securely maintain the key file and rotate the keys based on your organization's key rotation policy.

Default Value

By default, --service-account-private-key-file it not set.


No example