Role Binding To Default Service Account
- Query id: 3360c01e-c8c0-4812-96a2-a6329b9b7f9f
- Query name: Role Binding To Default Service Account
- Platform: Terraform
- Severity: High
- Category: Insecure Defaults
- URL: Github
Description¶
No role nor cluster role should bind to a default service account
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "kubernetes_role_binding" "example" {
metadata {
name = "terraform-example"
namespace = "default"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "Role"
name = "admin"
}
subject {
kind = "User"
name = "admin"
api_group = "rbac.authorization.k8s.io"
}
subject {
kind = "ServiceAccount"
name = "default"
namespace = "kube-system"
}
subject {
kind = "Group"
name = "system:masters"
api_group = "rbac.authorization.k8s.io"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "kubernetes_role_binding" "example2" {
metadata {
name = "terraform-example"
namespace = "default"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "Role"
name = "admin"
}
subject {
kind = "User"
name = "admin"
api_group = "rbac.authorization.k8s.io"
}
subject {
kind = "ServiceAccount"
name = "serviceExample"
namespace = "kube-system"
}
subject {
kind = "Group"
name = "system:masters"
api_group = "rbac.authorization.k8s.io"
}
}