The default service account should not be used to ensure that rights granted to applications can be more easily audited and reviewed. Rationale: Kubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Create explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value automountServiceAccountToken: false Impact: All workloads which require access to the Kubernetes API will require an explicit service account to be created. Default Value: By default the default service account allows for its service account token to be mounted in pods in its namespace.