Defaults Kubernetes Engine Clusters should not be configured to use the default service account

gcp_gke_using_default_service_account

Severity

low

Vendor

GCP

Resource

AIM

Description

Using the default service account for Google Cloud container cluster can pose some security risks. The default service account has broad permissions that may not be necessary for the cluster’s workloads. For example, it has the Editor role, which grants access to most Google Cloud resources and services. This can increase the attack surface and expose your cluster to potential breaches.

To fix it, you must configure the node_config.service_account property using a custom service account.

Learn more about this topic at Best practices for using service accounts.

Examples

---
- name: create a cluster
  google.cloud.gcp_container_cluster:
    name: cluster
    initial_node_count: 1
    master_auth:
      username: cluster_root
      password: secret-password
    node_config:
      machine_type: n1-standard-4
      disk_size_gb: 100
      service_account: "{{ default }}"
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present

Mitigation / Fix

---
- name: create a cluster
  google.cloud.gcp_container_cluster:
    name: cluster
    initial_node_count: 1
    master_auth:
      username: cluster_root
      password: secret-password
    node_config:
      machine_type: n1-standard-4
      disk_size_gb: 100
      service_account: "{{ app-serviceaccount }}"
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present