Information
The default service account should not be used to ensure that rights granted to applications can be more easily audited and reviewed.
Kubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod.
Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account.
The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Create explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server.
Modify the configuration of each default service account to include this value
automountServiceAccountToken: false
Impact:
All workloads which require access to the Kubernetes API will require an explicit service account to be created.