Default Kubernetes service accounts are actively used by bounding to a role or cluster role
Description
Every Kubernetes installation has a service account called default that is associated with every running pod. Similarly, to enable pods to make calls to the internal API Server endpoint, there is a ClusterIP service called Kubernetes. This combination makes it possible for internal processes to call the API endpoint. We recommend that users create their own user-managed service accounts and grant the appropriate roles to each service account.
Code Example
RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: <name>
subjects:
-- kind: ServiceAccount
- name: defaultRemediation
Kubernetes
Option 1
- Resource: ServiceAccount
- Arguments: If service name is set to default, automountServiceAccountToken should be set to false in order to opt out of automounting API credentials for a service account.
[source,default service]
apiVersion: v1 kind: ServiceAccount metadata: name: default
- automountServiceAccountToken: false
[source,non-default service]
apiVersion: v1 kind: ServiceAccount metadata:
- name: <service name>
Option 2
- Resource: RoleBinding / ClusterRoleBinding
- Arguments: RoleBinding grants the permissions defined in a role to a user or set of users within a specific namespace. ClusterRoleBinding grants that access cluster-wide. To avoid activating the default service account, it should not be used as a subject in RoleBinding or ClusterRoleBinding resources.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1120 |
| Severity | LOW |
| IaC Type | Kubernetes |
| Frameworks | Kubernetes, |
| Checkov ID | CKV_K8S_42 |