Profile applicability: Level 2 - Master Node
Automate service accounts management.
When you create a pod, if you do not specify a service account, it is automatically
assigned
the
default service account in the same namespace. You should create your own
service account and let the API server manage its security tokens. |
NoteBy default,
ServiceAccount is set. |
Audit
Run the following command on the Control Plane node:
ps -ef | grep kube-apiserver
Verify that the
--disable-admission-plugins argument is set to a value that
does not includes ServiceAccount.Remediation
Follow the documentation and create
ServiceAccount objects as per your
environment. Then, edit the API server pod specification file
/etc/kubernetes/manifests/kube-apiserver.yaml on the master node and ensure that the
--disable-admission-plugins parameter is set to a value that does not include
ServiceAccount.