Roles and cluster roles should not be bound to the default service account¶
Description¶
Dedicated service accounts should be created for each workload with appropriate rights assigned.
Remediation Steps¶
Kubernetes Manifest (YAML)¶
Ensure that a Kubernetes.RoleBinding or Kubernetes.ClusterRoleBinding does not have a subjects
object with the kind
field set to ServiceAccount
and name
set to default
.
Example Configuration¶
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: role-grantor-binding
namespace: hello
subjects:
- kind: ServiceAccount
name: test
namespace: test-ns
roleRef:
kind: ClusterRole
name: role-grantor
apiGroup: rbac.authorization.k8s.io
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: test-rolebinding
subjects:
- kind: ServiceAccount
name: test
namespace: test-ns
roleRef:
kind: ClusterRole
name: not-cluster-admin
apiGroup: rbac.authorization.k8s.io