Skip to main content

☑️ Ensure that default service accounts are not actively used

Kubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account.

The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.

Targeted objects by this rule (types of kind): ServiceAccount

Complexity: easy (What does this mean?)

Policy as code identifier: CIS_INVALID_VALUE_AUTOMOUNTSERVICEACCOUNTTOKEN


This rule will fail​

If a default service account does not have the automountServiceAccountToken key set to false:

apiVersion: v1
kind: ServiceAccount
metadata:
name: default
namespace: default

Rule output in the CLI​

$ datree test *.yaml

>> File: failExample.yaml
❌ Ensure that default service accounts are not actively used [1 occurrence]
💡 Invalid value for key `automountServiceAccountToken` - set to `false` to ensure rights can be more easily audited

How to fix this failure​

Add the automountServiceAccountToken key and set it to false:

apiVersion: v1
kind: ServiceAccount
metadata:
name: default
namespace: default
automountServiceAccountToken: false

Read more​