Skip to main content

☑️ Prevent Workflow pods from using the default service account

All pods in a Workflow run with the service account. The service account can be specified in workflow.spec.serviceAccountName, or if omitted, the default service account of the workflow's namespace is used.  This provides the workflow(i.e the pod) the ability to interact with the Kubernetes API server and because this behavior is enabled by default, it creates a great way for attackers with access to a single container, to abuse Kubernetes with the AutomountServiceAccountToken.

If by any chance, the user disabled the option for AutomountServiceAccountToken the default service account that Argo is using does not have any permissions, and the workflow will fail.

We recommend that users create their own user-managed service accounts and grant the appropriate roles to each service account.

Targeted objects by this rule (types of kind): Workflow / WorkflowTemplate

Enabled by default? True

Policy as code identifier: ARGO_WORKFLOW_INCORRECT_SERVICE_ACCOUNT_NAME_VALUE_DEFAULT


This rule will fail

If serviceAccountName is set to 'default' or not set at all:

kind: WorkflowTemplate
spec:
  entrypoint: entry-point
  serviceAccountName: default
kind: WorkflowTemplate
spec:
  entrypoint: entry-point
  serviceAccountName: default

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent Workflow pods from using the default service account [1 occurrence]
💡 Incorrect value for key `serviceAccountName` - when set to `default` container is exposed to possible attacks

How to fix this failure

Set the serviceAccountName key and give it a value:

kind: Workflow
spec:
  serviceAccountName: mySrvAcc

Read more