Profile Applicability:

  • Level 1

Description:
By default, Kubernetes creates a default service account in every namespace. While this service account can be used for basic operations, it is not recommended to use it for production workloads as it has broad permissions within the namespace. This check ensures that the default service account is not actively used by applications or services in the cluster, thus minimizing security risks.

Rationale:
 Using the default service account can lead to unintended privilege escalation or misuse, as it may not have the strictest permissions needed for a given application. Service accounts should be specific to the workloads they support, following the principle of least privilege to enhance security.

Impact:

  • Pros:

    • Reduces the risk of misuse of the default service account.

    • Ensures that service accounts are configured with the least privilege required for the workload.

  • Cons:

    • Additional configuration is needed to ensure the correct service accounts are in use.

    • Might require updating deployments and other resources to use specific service accounts.

Default Value:
 The default service account is automatically created in every namespace, and in some cases, it may be used unintentionally by workloads that do not specify a service account.

Pre-requisites:
 Ensure that proper service account management and Role-Based Access Control (RBAC) settings are in place for workloads that require specific service accounts.

Remediation

Test Plan:

Using Azure Console:

  1. Review the service account configuration in each namespace.

  2. Ensure that no workloads are using the default service account.

Using Azure CLI:

  1. List all pods and their associated service accounts using the following command:

     kubectl get pods --all-namespaces -o=jsonpath='{.items[*].spec.serviceAccountName}'


  2. Verify that the default service account is not used by any active pods.

Implementation Plan:

Using Azure Console:

  1. Access the namespace settings and review which service accounts are in use.

  2. Update workloads that are using the default service account to use custom service accounts that have appropriate permissions.

Using Azure CLI:

  1. Modify any resources that are using the default service account by specifying a different service account:

    kubectl edit deployment <deployment-name> --namespace=<namespace>

  2. Change the serviceAccountName field from default to a custom service account with limited permissions.

Backout Plan:

Using Azure Console:

  1. If the change causes issues with workloads, revert the configuration to use the default service account.

Using Azure CLI:

  1. Revert any changes by specifying the default service account in the deployment or pod configuration:

     kubectl edit deployment <deployment-name> --namespace=<namespace>

  2. Set the serviceAccountName field back to default.

References:

  1. Kubernetes Service Accounts Documentation