Ensure that the admission control plugin ServiceAccount is set
| Property | |
|---|---|
| Language |  |
| Severity |  |
Description#
The Kubernetes API server is configured with the ServiceAccount admission control plugin disabled, preventing automated management of service accounts. This misconfiguration removes important controls for service account creation and association with pods.
Impact#
Disabling the ServiceAccount plugin can lead to insecure and inconsistent service account usage, making it easier for workloads to run with default or overly privileged credentials. This increases the risk of privilege escalation, unauthorized access, and potential lateral movement within the cluster.
Resolution#
Follow the documentation and create ServiceAccount objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and ensure that the –disable-admission-plugins parameter is set to a value that does not include ServiceAccount.