Ensure Workflow pods are not using the default ServiceAccount
Description
This policy checks whether Argo Workflow pods are using the default ServiceAccount. Using the default ServiceAccount can pose a security risk as it may have more permissions than necessary, potentially allowing an attacker to exploit these permissions if the pod is compromised. It's essential to use a custom ServiceAccount with minimal required permissions to reduce the attack surface. By using a custom ServiceAccount, you can ensure that your Workflow pods have the least privileges necessary to operate, reducing the potential damage in case of a security breach.
Code Example
yaml
spec:
serviceAccountName: my-custom-serviceaccountRemediation
Create a custom ServiceAccount with minimal required permissions and specify it in the Workflow configuration.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0054 |
| Severity | MEDIUM |
| IaC Type | Argo Workflows |
| Frameworks | spec |
| Checkov ID | CKV_ARGO_1 |