Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Compliance > Kubernetes > CIS - GKE 1.2.0 > Kubernetes Policies >

RBAC and Service Accounts

N/A
Source
Kube Bench
ID
4.1
Version
gke-1.2.0

4.1 RBAC and Service Accounts

4.1.1 Ensure that the cluster-admin role is only used where required (Manual)

Identify all clusterrolebindings to the cluster-admin role. Check if they are used and if they need this role or if they could use a role with fewer privileges. Where possible, first bind users to a lower privileged role and then remove the clusterrolebinding to the cluster-admin role : kubectl delete clusterrolebinding [name]

4.1.2 Minimize access to secrets (Manual)

Where possible, remove get, list and watch access to secret objects in the cluster.

4.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)

Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions.

4.1.4 Minimize access to create pods (Manual)

Where possible, remove create access to pod objects in the cluster.

4.1.5 Ensure that default service accounts are not actively used. (Manual)

Create explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value automountServiceAccountToken: false

4.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)

Modify the definition of pods and service accounts which do not need to mount service account tokens to disable it.

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use