Ensure no ClusterRoleBindings set for default Service Account

An XCCDF Rule

Description

Using the default service account prevents accurate application rights review and audit tracing. Instead of default, create a new and unique service account and associate the required ClusterRoleBindings.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

/apis/rbac.authorization.k8s.io/v1/clusterrolebindings?limit=10000 API endpoint, filter with with the jq utility using the following filter [.items[] | select ( .subjects[]?.name == "default" ) | select(.subjects[].namespace | startswith("kube-") or startswith("openshift-") | not) | .metadata.name ] | unique and persist it to the local /apis/rbac.authorization.k8s.io/v1/clusterrolebindings?limit=10000#79f26213dd0c77369a3262d04a79b049cbe657d6816bca60a341434f2ee8d280 file.

Rationale

Kubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. This increases auditability of service account rights and access making it easier and more accurate to trace potential malicious behaviors to a specific service account and project.

ID: xccdf_org.ssgproject.content_rule_accounts_no_clusterrolebindings_default_service_account
Severity: Medium
References: APP.4.4.A9
Updated: 5 days ago