---
controls:
version: "eks-stig-kubernetes-v1r6"
id: 4
text: "Policies"
type: "policies"
groups:
  - id: 4.1
    text: "Policies - DISA Category Code I"
    checks:
      - id: V-242381
        text: "The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual)"
        type: "manual"
        remediation: |
         Create explicit service accounts wherever a Kubernetes workload requires specific access
         to the Kubernetes API server.
         Modify the configuration of each default service account to include this value
         automountServiceAccountToken: false
        scored: false

      - id: V-242383
        text: "User-managed resources must be created in dedicated namespaces. (Manual)"
        type: "manual"
        remediation: |
         Move any user-managed resources from the default, kube-public and kube-node-lease namespaces, to user namespaces.
        scored: false

      - id: V-242417
        text: "Kubernetes must separate user functionality. (Manual)"
        type: "manual"
        remediation: |
         Move any user pods that are present in the Kubernetes system namespaces to user specific namespaces.
        scored: false