[Question] How to fix the issue of control CIS-5.1.5

[dwertent]

Hi, I see the namespace default failed, but Kubescape did not provide any remediation. How can I fix the YAML so it will pass?

YAML:

apiVersion: v1
kind: Namespace
metadata:
  labels:
    app: my-namespace
    kubernetes.io/metadata.name: my-namespace
  name: my-namespace

[YiscahLevySilas1]

Hi, the control checks if there is a service account apart from "default" in every namespace and fails those that don't have one. The remediation is to create another SA that is not "default" in this ns.

[dwertent]

Thank you. What if my application does not require a service account? Maybe this should fail if there is only the default service account and the configuration of using default service account is set to true.

[YiscahLevySilas1]

Hi, In all our controls there is always the case where the misconfiguration we're looking for is intentional. That is what the exceptions are for. In this case - it is more a need to review each namespace rather than fail them automatically. In the future we will have a control status which should represent that better.

As to your suggestion - do you mean checking the automountServiceAccountToken field? That is indeed checked in this control in the default Service Accounts.

[YiscahLevySilas1]

Looking back at the remediation procedure of this CIS control, I am thinking maybe we should fail workloads that use the default SA, and not the namespaces. (And in the future - change fail to status "to be reviewed") What do you think? @shm12 - thoughts?

[dwertent]

@YiscahLevySilas1 any updates here?