Skip to content

Default service accounts are actively used

Description

Every Kubernetes installation has a service account called default that is associated with every running pod. Similarly, to enable pods to make calls to the internal API Server endpoint, there is a ClusterIP service called Kubernetes. This combination makes it possible for internal processes to call the API endpoint.

We recommend that users create their own user-managed service accounts and grant the appropriate roles to each service account.

Fix - Buildtime

Kubernetes

Option 1

  • Resource: ServiceAccount
  • Argument: If service name is set to default, automountServiceAccountToken should be set to false in order to opt out of automounting API credentials for a service account.

```yaml default service apiVersion: v1 kind: ServiceAccount metadata: name: default + automountServiceAccountToken: false

```yaml non-default service
apiVersion: v1
kind: ServiceAccount
metadata:
+ name: <service name>

Option 2

  • Resource: RoleBinding / ClusterRoleBinding
  • Argument:
    RoleBinding grants the permissions defined in a role to a user or set of users within a specific namespace.
    ClusterRoleBinding grants that access cluster-wide. To avoid activating the default service account, it should not be used as a subject in RoleBinding or ClusterRoleBinding resources.

```yaml RoleBinding apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: subjects: -- kind: ServiceAccount - name: default

```yaml ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: <name>
subjects:
-- kind: ServiceAccount
-  name: default