Ensure no RoleBindings set for default Service Account

An XCCDF Rule

Description

Using the default service account prevents accurate application rights review and audit tracing. Instead of default, create a new and unique service account and associate the required RoleBindings.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

/apis/rbac.authorization.k8s.io/v1/rolebindings?limit=10000 API endpoint, filter with with the jq utility using the following filter [.items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select ( .subjects[]?.name == "default" ) | .metadata.namespace + "/" + .metadata.name ] | unique and persist it to the local /apis/rbac.authorization.k8s.io/v1/rolebindings?limit=10000#00c457af66396f1f78aa74c5eb2177980c74419afc15a46a16b38a8712ca0b70 file.

Rationale

Kubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. This increases auditability of service account rights and access making it easier and more accurate to trace potential malicious behaviors to a specific service account and project.

ID: xccdf_org.ssgproject.content_rule_accounts_no_rolebindings_default_service_account
Severity: Medium
References: APP.4.4.A9
Updated: 5 days ago