Service Account Name Undefined Or Empty
- Query id: 591ade62-d6b0-4580-b1ae-209f80ba1cd9
- Query name: Service Account Name Undefined Or Empty
- Platform: Kubernetes
- Severity: Medium
- Category: Insecure Defaults
- URL: Github
Description¶
A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
apiVersion: v1
kind: Pod
metadata:
name: nginx.container
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /var/run/secrets/tokens
name: vault-token
volumes:
- name: vault-token
projected:
sources:
- serviceAccountToken:
path: vault-token
expirationSeconds: 7200
audience: vault
---
apiVersion: v1
kind: Pod
metadata:
name: nginx2.container.group
spec:
containers:
- image: nginx2
name: nginx2
volumeMounts:
- mountPath: /var/run/secrets/tokens
name: vault-token
serviceAccountName:
volumes:
- name: vault-token
projected:
sources:
- serviceAccountToken:
path: vault-token
expirationSeconds: 7200
audience: vault
---
apiVersion: v1
kind: Pod
metadata:
name: nginx3
spec:
containers:
- image: nginx3
name: nginx3
volumeMounts:
- mountPath: /var/run/secrets/tokens
name: vault-token
serviceAccountName: ""
volumes:
- name: vault-token
projected:
sources:
- serviceAccountToken:
path: vault-token
expirationSeconds: 7200
audience: vault
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /var/run/secrets/tokens
name: vault-token
serviceAccountName: build-robot
volumes:
- name: vault-token
projected:
sources:
- serviceAccountToken:
path: vault-token
expirationSeconds: 7200
audience: vault