Service account admission control plugin disabled
This product is not supported for your selected
Datadog site. (
).
Id: 9587c890-0524-40c2-9ce2-663af7c2f063
Cloud Provider: Kubernetes
Platform: Kubernetes
Severity: Medium
Category: Access Control
Learn More
Description
When kube-apiserver is used, the --disable-admission-plugins flag should not include the ServiceAccount plugin. Disabling the ServiceAccount admission plugin prevents the API server from admitting service account tokens and can break pod authentication and credential provisioning. This rule detects kube-apiserver containers and examines the container command for the --disable-admission-plugins flag containing ServiceAccount.
Compliant Code Examples
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
command: ["kube-apiserver"]
args: ["--enable-admission-plugins=ServiceAccount", "--admission-control-config-file=path/to/plugin/config/file.yaml"]
restartPolicy: OnFailure
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
command: ["kube-apiserver"]
args: []
restartPolicy: OnFailure
Non-Compliant Code Examples
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
command: ["kube-apiserver","--disable-admission-plugins=ServiceAccount"]
args: []
restartPolicy: OnFailure
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
command: ["kube-apiserver"]
args: ["--disable-admission-plugins=ServiceAccount"]
restartPolicy: OnFailure
