Our general users have the possibility of creating rolebindings and roles in there tenant namespace.
This is fine but we should create a OPA rule that says that it's impossible to use bind a rolebinding to the default service account.
This to lower the risk of someone giving the account more access and another pod that is using the default service account also gains the same access.
If you as a user have a use-case to setup rbac rules for a service account you should know enough to create a service account as well and use that in your deployment.
Another option could also be to disable the usage of default service account all together but I think that will create to much issues vs the value it gives us. We have already disabled mounting the service account token by default on all our pods.
Our general users have the possibility of creating rolebindings and roles in there tenant namespace. This is fine but we should create a OPA rule that says that it's impossible to use bind a rolebinding to the default service account.
This to lower the risk of someone giving the account more access and another pod that is using the default service account also gains the same access. If you as a user have a use-case to setup rbac rules for a service account you should know enough to create a service account as well and use that in your deployment.
Another option could also be to disable the usage of default service account all together but I think that will create to much issues vs the value it gives us. We have already disabled mounting the service account token by default on all our pods.