Ensure that default service accounts are not actively used.

MEDIUM

Description

Description:

The 'default' service account should not be used to ensure that rights granted to applications can be more easily audited and reviewed.

Rationale:

Kubernetes provides a 'default' service account which is used by cluster workloads where no specific service account is assigned to the pod.

Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account.

The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.

All workloads which require access to the Kubernetes API will require an explicit service account to be created.

Remediation

Create explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server.

Modify the configuration of each default service account to include this value

automountServiceAccountToken: false

Automatic remediation for the default account:

'kubectl patch serviceaccount default -p $'automountServiceAccountToken: false''

Policy Details

Rule Reference ID: AC_K8S_0113

CSP: Kubernetes

Remediation Available: No

Domain: Identity and Access Management

Resource: kubernetes_role

Resource Category: Management

Resource Type: Role

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
ISO-27001
CIS Kubernetes v1.6.1 Level 1 - Master Node
CIS Amazon Elastic Kubernetes Service (EKS) v1.1.0 Level 1
CIS Amazon Elastic Kubernetes Service (EKS) v1.3.0 Level 1
CIS Azure Kubernetes Service (AKS) v1.1.0 Level 1
CIS Azure Kubernetes Service (AKS) v1.3.0 Level 1
NSA CISA Kubernetes Hardening Guide 1.0
CIS Google Kubernetes Engine (GKE) v1.2.0 Level 1 - Master Node
CIS Google Kubernetes Engine (GKE) v1.4.0 Level 1

Detections

Analytics