Profile applicability: Level 2 - Master Node
Automate service accounts management.
When you create a pod, if you do not specify a service account, it is automatically
assigned
the
default
service account in the same namespace. You should create your own
service account and let the API server manage its security tokens.![]() |
NoteBy default,
ServiceAccount is set. |
Audit
Run the following command on the Control Plane node:
ps -ef | grep kube-apiserver
Verify that the
--disable-admission-plugins
argument is set to a value that
does not includes ServiceAccount
.Remediation
Follow the documentation and create
ServiceAccount
objects as per your
environment. Then, edit the API server pod specification file
/etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and ensure that the
--disable-admission-plugins
parameter is set to a value that does not include
ServiceAccount
.