Ensure that default service accounts are not actively used by bounding to a role or cluster role

Error: Default Kubernetes service accounts are actively used by bounding to a role or cluster role

Bridgecrew Policy ID: BC_K8S_45
Checkov Check ID: CKV_K8S_42
Severity: LOW

Default Kubernetes service accounts are actively used by bounding to a role or cluster role

Description

Every Kubernetes installation has a service account called default that is associated with every running pod. Similarly, to enable pods to make calls to the internal API Server endpoint, there is a ClusterIP service called Kubernetes. This combination makes it possible for internal processes to call the API endpoint.

We recommend that users create their own user-managed service accounts and grant the appropriate roles to each service account.

Fix - Buildtime

Kubernetes

Option 1

  • Resource: ServiceAccount
  • Argument: If service name is set to default, automountServiceAccountToken should be set to false in order to opt out of automounting API credentials for a service account.
apiVersion: v1
kind: ServiceAccount
metadata:
  name: default
+ automountServiceAccountToken: false
apiVersion: v1
kind: ServiceAccount
metadata:
+ name: <service name>

Option 2

  • Resource: RoleBinding / ClusterRoleBinding
  • Argument:
    RoleBinding grants the permissions defined in a role to a user or set of users within a specific namespace.
    ClusterRoleBinding grants that access cluster-wide. To avoid activating the default service account, it should not be used as a subject in RoleBinding or ClusterRoleBinding resources.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: <name>
subjects:
-- kind: ServiceAccount
-  name: default
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: <name>
subjects:
-- kind: ServiceAccount
-  name: default