Roles and cluster roles should not be bound to the default service account

Description

Dedicated service accounts should be created for each workload with appropriate rights assigned.

Remediation Steps

Kubernetes Manifest (YAML)

Ensure that a Kubernetes.RoleBinding or Kubernetes.ClusterRoleBinding does not have a subjects object with the kind field set to ServiceAccount and name set to default.

Example Configuration

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: role-grantor-binding
  namespace: hello
subjects:
- kind: ServiceAccount
  name: test
  namespace: test-ns
roleRef:
  kind: ClusterRole
  name: role-grantor
  apiGroup: rbac.authorization.k8s.io
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: test-rolebinding
subjects:
- kind: ServiceAccount
  name: test
  namespace: test-ns
roleRef:
  kind: ClusterRole
  name: not-cluster-admin
  apiGroup: rbac.authorization.k8s.io