4.1.5 Ensure that default service accounts are not actively used.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The default service account should not be used to ensure that rights granted to applications can be more easily audited and reviewed.

Rationale:

Kubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod.

Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account.

The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.

Impact:

All workloads which require access to the Kubernetes API will require an explicit service account to be created.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Create explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server.
Modify the configuration of each default service account to include this value

automountServiceAccountToken: false

Default Value:

By default the default service account allows for its service account token to be mounted in pods in its namespace.

See Also

https://workbench.cisecurity.org/files/4135