Role Binding To Default Service Account
- Query id: 1e749bc9-fde8-471c-af0c-8254efd2dee5
- Query name: Role Binding To Default Service Account
- Platform: Kubernetes
- Severity: Medium
- Category: Insecure Defaults
- CWE: 665
- URL: Github
Description¶
No role nor cluster role should bind to a default service account
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: jane
apiGroup: rbac.authorization.k8s.io
- kind: ServiceAccount
name: default
namespace: kube-system
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io