iCompaas Support

Profile Applicability:

• Level 2
  
  

Description:

The ServiceAccount admission control plugin is responsible for automatically creating and associating service accounts with Pods that do not explicitly specify a service account. This ensures that all Pods have an associated service account, which provides identity and access management to the API server.

Rationale:

By enabling the ServiceAccount admission control plugin, you ensure that every Pod in the cluster, even those that do not explicitly request one, has a valid service account associated. This is important for ensuring proper access control and authentication for applications running inside the Pods. The default service account is used for Pods that do not specify one.

Impact:

Pros:

• Ensures every Pod has a service account, improving identity and access management.
  

• Helps avoid accidental or unintended Pods running without the appropriate permissions.
  

Cons:

• If not configured properly, it might lead to the use of default service accounts with excessive privileges, which could pose a security risk.
  

Default Value:

The ServiceAccount admission control plugin is typically enabled by default, but it should be verified to ensure it is active.

Pre-requisites:

• Service accounts must be defined in the Kubernetes cluster if custom accounts are needed.
  

• The admission control configuration must allow for the creation of service accounts by the API server.
  

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Navigate to your EKS Cluster.
   

3. Go to the Node Group or EKS configuration details.
   

4. Check the --enable-admission-plugins flag and verify that ServiceAccount is listed among the enabled plugins.
   

Using AWS CLI:

Run the following AWS CLI command to describe your EKS cluster's configuration:

aws eks describe-cluster --name <cluster-name> --query "cluster.config"

1. Ensure that ServiceAccount is listed under --enable-admission-plugins.
   

Implementation Plan:

Using AWS Console:

1. Navigate to the EKS cluster in the AWS Console.
   

2. Under the Cluster Configuration section, modify the API server's settings.
   

3. Ensure that the ServiceAccount admission control plugin is enabled.
   

4. Save the configuration and apply the changes.
   

Using AWS CLI:

Update the --enable-admission-plugins argument to include ServiceAccount:

aws eks update-cluster-config --name <cluster-name> --kubernetes-version <kubernetes-version> --enable-admission-plugins ServiceAccount

Backout Plan

Using AWS Console:

1. Navigate to the EKS cluster's API server configuration.
   

2. If necessary, remove ServiceAccount from the list of enabled admission control plugins.
   

3. Save the configuration and redeploy the cluster.
   

Using AWS CLI:

If issues occur, revert the change using:

aws eks update-cluster-config --name <cluster-name> --kubernetes-version <kubernetes-version> --disable-admission-plugins ServiceAccount

References:

• Kubernetes Admission Control Documentation
  

• EKS Cluster Management