By default, every Kubernetes namespace is automatically provisioned with a service account named default. These accounts have access to the Kubernetes API server and any resources that the Pod has access to. If these accounts are not being actively used, it can increase the attack surface of the cluster as they can be exploited by attackers to gain unauthorized access to the cluster. Attackers can use these default service accounts to run malicious containers, access sensitive information or execute malicious commands. As a best practice, it is recommended to disable the use of these default service accounts. Note: Disabling the default service accounts is only recommended if there are no Kubernetes components or user-created components in the namespace that depend on it.
To ensure default service accounts are not actively used, the following remediation steps can be taken:
- Review and assess the usage of the default service account across all namespaces in the cluster.
- For namespaces that do not require a default service account, disable it by setting the automountServiceAccountToken field to false in the spec section of the Pod or Deployment YAML file.
- For namespaces that require a service account, create a separate service account with the required permissions and use it instead of the default service account.
- Monitor the cluster for any attempts to use the default service account and investigate them immediately.
Regularly auditing the usage of service accounts in the cluster is recommended to ensure that only necessary service accounts are used and that they are not exploited by attackers.
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.
