Default Kubernetes service accounts are actively used by bounding to a role or cluster role
Description
Every Kubernetes installation has a service account called default that is associated with every running pod. Similarly, to enable pods to make calls to the internal API Server endpoint, there is a ClusterIP service called Kubernetes. This combination makes it possible for internal processes to call the API endpoint.
We recommend that users create their own user-managed service accounts and grant the appropriate roles to each service account.
Fix - Buildtime
Kubernetes
Option 1
- Resource: ServiceAccount
- Argument: If service name is set to default, automountServiceAccountToken should be set to false in order to opt out of automounting API credentials for a service account.
```yaml default service apiVersion: v1 kind: ServiceAccount metadata: name: default + automountServiceAccountToken: false
```yaml non-default service
apiVersion: v1
kind: ServiceAccount
metadata:
+ name: <service name>
Option 2
- Resource: RoleBinding / ClusterRoleBinding
- Argument:
RoleBinding grants the permissions defined in a role to a user or set of users within a specific namespace.
ClusterRoleBinding grants that access cluster-wide. To avoid activating the default service account, it should not be used as a subject in RoleBinding or ClusterRoleBinding resources.
```yaml RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name:
```yaml ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: <name>
subjects:
-- kind: ServiceAccount
- name: default