Kube Bench

5.1 RBAC and Service Accounts

5.1.1 Ensure that the cluster-admin role is only used where required (Not Scored)

Identify all clusterrolebindings to the cluster-admin role. Check if they are used and if they need this role or if they could use a role with fewer privileges. Where possible, first bind users to a lower privileged role and then remove the clusterrolebinding to the cluster-admin role : kubectl delete clusterrolebinding [name]

5.1.2 Minimize access to secrets (Not Scored)

Where possible, remove get, list and watch access to secret objects in the cluster.

5.1.3 Minimize wildcard use in Roles and ClusterRoles (Not Scored)

Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions.

5.1.4 Minimize access to create pods (Not Scored)

Where possible, remove create access to pod objects in the cluster.

5.1.5 Ensure that default service accounts are not actively used. (Scored)

Create explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value automountServiceAccountToken: false

5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Not Scored)

Modify the definition of pods and service accounts which do not need to mount service account tokens to disable it.