All pods in a Workflow run with the service account. The service account can be specified in
workflow.spec.serviceAccountName, or if omitted, the default service account of the workflow's namespace is used. This provides the workflow(i.e the pod) the ability to interact with the Kubernetes API server and because this behavior is enabled by default, it creates a great way for attackers with access to a single container, to abuse Kubernetes with the AutomountServiceAccountToken.
If by any chance, the user disabled the option for AutomountServiceAccountToken the default service account that Argo is using does not have any permissions, and the workflow will fail.
We recommend that users create their own user-managed service accounts and grant the appropriate roles to each service account.
Targeted resources by this rule (types of kind): Workflow / WorkflowTemplate
Enabled by default? True
Policy as code identifier: ARGO_WORKFLOW_INCORRECT_SERVICE_ACCOUNT_NAME_VALUE_DEFAULT
This rule will fail
serviceAccountName is set to 'default' or not set at all:
Rule output in the CLI
$ datree test *.yaml
>> File: failExample.yaml
❌ Prevent Workflow pods from using the default service account [1 occurrence]
💡 Incorrect value for key `serviceAccountName` - when set to `default` container is exposed to possible attacks
How to fix this failure
serviceAccountName key and give it a value: