1.1.28 Ensure that the admission control policy is set to ServiceAccount

Information

Automate service accounts management.

Rationale:

When you create a pod, if you do not specify a service account, it is automatically assigned the `default` service account in the same namespace. You should create your own service account and let the API server manage its security tokens.

Solution

Follow the documentation and create `ServiceAccount` objects as per your environment. Then, edit the `/etc/kubernetes/apiserver` file on the master node and set the `KUBE_ADMISSION_CONTROL` parameter to `'--admission-control=...,ServiceAccount,...'`: `KUBE_ADMISSION_CONTROL='--admission-control=...,ServiceAccount,...'`

Based on your system, restart the `kube-apiserver` service. For example: `systemctl restart kube-apiserver.service`

Impact:

The `ServiceAccount` objects must be created and granted before pod creation would be allowed.

See Also

https://workbench.cisecurity.org/files/1738

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv6|16

Plugin: Unix

Control ID: feeb72a94302f062af1a82aba66336632e8f24fa2f86689fcf74d9a99aafb088