Ensure the admission control plugin ServiceAccount is set

Error: The admission control plugin ServiceAccount is not set

Bridgecrew Policy ID: BC_K8S_59
Checkov Check ID: CKV_K8S_82
Severity: LOW

The admission control plugin ServiceAccount is not set

Description

Automate service accounts management. When you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace. You should create your own service account and let the API server manage its security tokens.

Fix - Buildtime

Kubernetes

  • Kind: Pod
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
+   - kube-apiserver
+   - --enable-admission-plugins=ServiceAccount
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
    ...