Default service account in use

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Default service account in use

Metadata

Id: 737a0dd9-0aaa-4145-8118-f01778262b8a

Cloud Provider: Kubernetes

Platform: Terraform

Severity: Low

Category: Insecure Configurations

Learn More

Provider Reference

Description

Default service accounts should not be actively used. The kubernetes_service_account resource named default must include the automount_service_account_token attribute and it must be set to false. If automount_service_account_token is missing, add automount_service_account_token = false; if it is set to true, replace it with false.

Compliant Code Examples

resource "kubernetes_service_account" "example3" {
  metadata {
    name = "default"
  }

  automount_service_account_token = false
}

Non-Compliant Code Examples

resource "kubernetes_service_account" "example" {
  metadata {
    name = "default"
  }
}

resource "kubernetes_service_account" "example2" {
  metadata {
    name = "default"
  }

  automount_service_account_token = true
}