Ensure Usage of Unique Service Accounts

Description

Using the default service account prevents accurate application rights review and audit tracing. Instead of default, create a new and unique service account with the following command:

$ oc create sa service_account_name

where service_account_name is the name of a service account that is needed in the project namespace.

Rationale

Kubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. This increases auditability of service account rights and access making it easier and more accurate to trace potential malicious behaviors to a specific service account and project.

ID: xccdf_org.ssgproject.content_rule_accounts_unique_service_account
Severity: Medium
References: CIP-003-8 R6 CIP-004-6 R3 CIP-007-3 R6.1

CM-6 CM-6(1)

Req-2.2

SRG-APP-000516-CTR-001325

5.1.5
Updated: about 1 year ago