Kube Bench

5.1 RBAC and Service Accounts

5.1.1 Ensure that the cluster-admin role is only used where required (Manual)

Identify all clusterrolebindings to the cluster-admin role. Check if they are used and if they need this role or if they could use a role with fewer privileges. Where possible, first bind users to a lower privileged role and then remove the clusterrolebinding to the cluster-admin role : kubectl delete clusterrolebinding [name]

5.1.2 Minimize access to secrets (Manual)

Where possible, remove get, list and watch access to Secret objects in the cluster.

5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)

Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions.

5.1.4 Minimize access to create pods (Manual)

Where possible, remove create access to pod objects in the cluster.

5.1.5 Ensure that default service accounts are not actively used. (Automated)

Create explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value automountServiceAccountToken: false

5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)

Modify the definition of pods and service accounts which do not need to mount service account tokens to disable it.

5.1.7 Avoid use of system:masters group (Manual)

Remove the system:masters group from all users in the cluster.

5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)

Where possible, remove the impersonate, bind and escalate rights from subjects.