regolibrary
regolibrary copied to clipboard
kubescape
[Question] How to fix the issue of control CIS-5.1.5
Hi, I see the namespace default failed, but Kubescape did not provide any remediation. How can I fix the YAML so it will pass?
YAML:
apiVersion: v1
kind: Namespace
metadata:
labels:
app: my-namespace
kubernetes.io/metadata.name: my-namespace
name: my-namespace
Hi, the control checks if there is a service account apart from "default" in every namespace and fails those that don't have one. The remediation is to create another SA that is not "default" in this ns.
Thank you. What if my application does not require a service account? Maybe this should fail if there is only the default service account and the configuration of using default service account is set to true.
Hi, In all our controls there is always the case where the misconfiguration we're looking for is intentional. That is what the exceptions are for. In this case - it is more a need to review each namespace rather than fail them automatically. In the future we will have a control status which should represent that better.
As to your suggestion - do you mean checking the automountServiceAccountToken field? That is indeed checked in this control in the default Service Accounts.
Looking back at the remediation procedure of this CIS control, I am thinking maybe we should fail workloads that use the default SA, and not the namespaces. (And in the future - change fail to status "to be reviewed") What do you think? @shm12 - thoughts?