Role binding to default service account

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Role binding to default service account

Metadata

Id: 1e749bc9-fde8-471c-af0c-8254efd2dee5

Cloud Provider: k8s

Framework: Kubernetes

Severity: Medium

Category: Insecure Defaults

Learn More

Provider Reference

Description

No Role or ClusterRole should bind to a default service account.

Compliant Code Examples

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: jane
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

Non-Compliant Code Examples

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: jane
  apiGroup: rbac.authorization.k8s.io
- kind: ServiceAccount
  name: default
  namespace: kube-system
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io