Ensure that default service accounts are not actively used (RBAC - ServiceAccount)

The default service account should not be used to ensure that rights granted to applications can be more easily audited and reviewed. Kubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.

Risk Level: High
Cloud Entity: Kubernetes Service Account
CloudGuard Rule ID: D9.K8S.IAM.43
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

KubernetesServiceAccount where (name = 'default' and (not namespace regexMatch /kube.*/)) should have automountServiceAccountToken = false

REMEDIATION

Create explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value:
automountServiceAccountToken: false

Kubernetes Service Account

A service account provides an identity for processes that run in a Pod.When you (a human) access the cluster (for example, using kubectl), you are authenticated by the apiserver as a particular User Account (currently this is usually admin, unless your cluster administrator has customized your cluster). Processes in containers inside pods can also contact the apiserver. When they do, they are authenticated as a particular Service Account (for example, default).

Compliance Frameworks

  • CIS Kubernetes Benchmark v1.24
  • CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.1.0
  • CIS OpenShift Container Platform v4 Benchmark v1.1.0
  • Kubernetes v.1.14 CloudGuard Best Practices
  • OpenShift Container Platform v3