For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/k8s/service_account_admission_control_plugin_disabled.md. A documentation index is available at /llms.txt.

Service account admission control plugin disabled

This product is not supported for your selected Datadog site. ().

Metadata

Id: kubernetes-service-account-admission-control-plugin-disabled

Cloud Provider: Kubernetes

Platform: Kubernetes

Severity: Medium

Category: Access Control

Learn More

Description

When kube-apiserver is used, the --disable-admission-plugins flag should not include the ServiceAccount plugin. Disabling the ServiceAccount admission plugin prevents the API server from admitting service account tokens and can break pod authentication and credential provisioning. This rule detects kube-apiserver containers and examines the container command for the --disable-admission-plugins flag containing ServiceAccount.

Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver"]
      args: ["--enable-admission-plugins=ServiceAccount", "--admission-control-config-file=path/to/plugin/config/file.yaml"]
  restartPolicy: OnFailure

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver"]
      args: []
  restartPolicy: OnFailure

Non-Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver","--disable-admission-plugins=ServiceAccount"]
      args: []
  restartPolicy: OnFailure

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver"]
      args: ["--disable-admission-plugins=ServiceAccount"]
  restartPolicy: OnFailure