☑️ Prevent Workflow pods from using the default service account
All pods in a Workflow run with the service account. The service account can be specified in workflow.spec.serviceAccountName, or if omitted, the default service account of the workflow's namespace is used. This provides the workflow(i.e the pod) the ability to interact with the Kubernetes API server and because this behavior is enabled by default, it creates a great way for attackers with access to a single container, to abuse Kubernetes with the AutomountServiceAccountToken.
If by any chance, the user disabled the option for AutomountServiceAccountToken the default service account that Argo is using does not have any permissions, and the workflow will fail.
We recommend that users create their own user-managed service accounts and grant the appropriate roles to each service account.
Targeted objects by this rule (types of kind): Workflow / WorkflowTemplate
Complexity: hard (What does this mean?)
Policy as code identifier: ARGO_WORKFLOW_INCORRECT_SERVICE_ACCOUNT_NAME_VALUE_DEFAULT
This rule will fail
If serviceAccountName is set to 'default' or not set at all:
kind: WorkflowTemplate
spec:
entrypoint: entry-point
serviceAccountName: default
kind: WorkflowTemplate
spec:
entrypoint: entry-point
serviceAccountName: default
Rule output in the CLI
$ datree test *.yaml
>> File: failExample.yaml
❌ Prevent Workflow pods from using the default service account [1 occurrence]
💡 Incorrect value for key `serviceAccountName` - when set to `default` container is exposed to possible attacks
How to fix this failure
Set the serviceAccountName key and give it a value:
kind: Workflow
spec:
serviceAccountName: mySrvAcc