1.1.27 Ensure that the admission control policy is set to ServiceAccount

Information

Automate service accounts management.

Rationale:

When you create a pod, if you do not specify a service account, it is automatically assigned the 'default' service account in the same namespace. You should create your own service account and let the API server manage its security tokens.

Solution

Follow the documentation and create 'ServiceAccount' objects as per your environment. Then, edit the API server pod specification file '/etc/kubernetes/manifests/kube-apiserver.yaml' on the master node and set the '--admission-control' parameter to a value that includes 'ServiceAccount'.

--admission-control=...,ServiceAccount,...

Impact:

The 'ServiceAccount' objects must be created and granted before pod creation would be allowed.

See Also

https://workbench.cisecurity.org/files/1788

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv6|16

Plugin: Unix

Control ID: c8ec43ad802e684491dd0823767aa2564875cc9ba494dc3a3116e66f0ffc1a21