RoleBinding is set to the default service account Affecting Deployment service in Kubernetes

Snyk CCSS

Containers / Best Practices

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CIS-Kubernetes

Snyk ID SNYK-CC-00644
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

A binding was found between a role and the default service account. The use of the default service account is discouraged.

How to fix?

Set subjects.name to a service account other than default.

Example Configuration

apiVersion: v1
kind: Namespace
metadata:
  name: user-1-namespace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: role-binding-valid
  namespace: user-1-namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: role-grantor
subjects:
  - kind: User
    name: default
    namespace: default
  - kind: User
    name: default
    namespace: kube-system

Kubernetes

Using RBAC Authorization

Terraform

kubernetes_role_binding

References

Using RBAC Authorization