sig-bsi-grundschutz / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://www.open-scap.org/security-policies/scap-security-guide
Other
7 stars 1 forks source link

APP.4.4.A9 #35

Closed sluetze closed 4 months ago

benruland commented 10 months ago

Pods SHOULD NOT use the "default" service account. Pods for different applications SHOULD run under their own service accounts.

Existing Rules:

Rights SHOULD NOT be granted to the "default" service account. Access rights for the service accounts of the applications' pods SHOULD be limited to those that are strictly necessary.

Existing Rules:

Potentially new rules?

Pods that do not require a service account SHOULD not be able to view it or have access to corresponding tokens.

Existing rules:

Only control plane pods and pods that absolutely need them SHOULD use privileged service accounts.

Existing rules:

Automation programs SHOULD each receive their own tokens, even if they share a common service account due to similar tasks.

Org-only

benruland commented 7 months ago

PR created: https://github.com/ComplianceAsCode/content/pull/11559

sluetze commented 4 months ago

merged upstream