Ensure that default service accounts are not actively used (RBAC - ClusterRoleBinding)

The default service account should not be used to ensure that rights granted to applications can be more easily audited and reviewed. Kubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.

Risk Level: Low
Cloud Entity: Kubernetes Role Binding
CloudGuard Rule ID: D9.TF.K8S.IAM.49
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

kubernetes_cluster_role_binding should not have subject contain [name = 'default' and kind = 'ServiceAccount']

REMEDIATION

Create explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value:
automountServiceAccountToken: false

Kubernetes Role Binding

A role binding grants the permissions defined in a role to a user or set of users. It holds a list of subjects (users, groups, or service accounts), and a reference to the role being granted. A RoleBinding grants permissions within a specific namespace whereas a ClusterRoleBinding grants that access cluster-wide.

Compliance Frameworks

  • EKS CloudGuard Best Practices