APP.4.4.A9

[benruland]

Pods SHOULD NOT use the "default" service account. Pods for different applications SHOULD run under their own service accounts.

Existing Rules:

• accounts_unique_service_account

Rights SHOULD NOT be granted to the "default" service account. Access rights for the service accounts of the applications' pods SHOULD be limited to those that are strictly necessary.

Existing Rules:

• rbac_least_privilege
• rbac_wildcard_use

Potentially new rules?

• No rolebinding for default SA, besides the default OpenShift rolebindings?

Pods that do not require a service account SHOULD not be able to view it or have access to corresponding tokens.

Existing rules:

• accounts_restrict_service_account_tokens

Only control plane pods and pods that absolutely need them SHOULD use privileged service accounts.

Existing rules:

• scc_limit_privileged_containers
• Potentially other scc_* Rules

Automation programs SHOULD each receive their own tokens, even if they share a common service account due to similar tasks.

Org-only

[benruland]

PR created: https://github.com/ComplianceAsCode/content/pull/11559

[sluetze]

merged upstream