Ensure default service accounts are not actively used
Error: Default service accounts are actively used
Bridgecrew Policy ID: BC_K8S_38
Checkov Check ID: CKV_K8S_41
Default service accounts are actively used
Every Kubernetes installation has a service account called default that is associated with every running pod. Similarly, to enable pods to make calls to the internal API Server endpoint, there is a ClusterIP service called Kubernetes. This combination makes it possible for internal processes to call the API endpoint.
We recommend that users create their own user-managed service accounts and grant the appropriate roles to each service account.
Fix - Buildtime
- Resource: ServiceAccount
- Argument: If service name is set to default, automountServiceAccountToken should be set to false in order to opt out of automounting API credentials for a service account.
apiVersion: v1 kind: ServiceAccount metadata: name: default + automountServiceAccountToken: false
apiVersion: v1 kind: ServiceAccount metadata: + name: <service name>
- Resource: RoleBinding / ClusterRoleBinding
RoleBinding grants the permissions defined in a role to a user or set of users within a specific namespace.
ClusterRoleBinding grants that access cluster-wide. To avoid activating the default service account, it should not be used as a subject in RoleBinding or ClusterRoleBinding resources.
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: <name> subjects: -- kind: ServiceAccount - name: default
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: <name> subjects: -- kind: ServiceAccount - name: default
Updated 6 months ago