Ensure that default service accounts are not actively used (RBAC - ClusterRoleBinding)
The default service account should not be used to ensure that rights granted to applications can be more easily audited and reviewed. Kubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.
Risk Level: Low
Cloud Entity: Kubernetes Role Binding
CloudGuard Rule ID: D9.TF.K8S.IAM.49
Covered by Spectral: Yes
Category: Security, Identity, & Compliance
GSL LOGIC
kubernetes_cluster_role_binding should not have subject contain [name = 'default' and kind = 'ServiceAccount']
REMEDIATION
Create explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value:
automountServiceAccountToken: false
Kubernetes Role Binding
A role binding grants the permissions defined in a role to a user or set of users. It holds a list of subjects (users, groups, or service accounts), and a reference to the role being granted. A RoleBinding grants permissions within a specific namespace whereas a ClusterRoleBinding grants that access cluster-wide.
Compliance Frameworks
- EKS CloudGuard Best Practices
Updated over 1 year ago