Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Limit Default Service Account Usage

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure the default service accounts are not actively used within your OCI Kubernetes Engine (OKE) clusters. This practice allows for precise control, auditing, and review of the specific rights granted to each application.

Security

By default, the Kubernetes default service account is used when a pod lacks a specific one. For any workload needing Kubernetes API access, a custom service account must be defined and granted specific rights. The default service account should be configured to disable its token and remove any inherent permissions.

Audit

To determine if default service accounts are used for your OCI Kubernetes Engine (OKE) cluster, perform the following operations:

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run ce cluster list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each OCI Kubernetes Engine (OKE) cluster available in the selected OCI compartment:

    oci ce cluster list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested OKE cluster IDs:

    [
	"ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.cluster.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run ce cluster create-kubeconfig command (Windows/macOS/Linux) with the ID of the OCI Kubernetes Engine (OKE) cluster that you want to access as the identifier parameter, to generate and configure the Kubernetes configuration file (kubeconfig) that the kubectl tool needs to securely communicate with and manage the selected OKE cluster:

    oci ce cluster create-kubeconfig
	--cluster-id 'ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--file $HOME/.kube/config
	--kube-endpoint PUBLIC_ENDPOINT
	--region 'ap-sydney-1'
	--token-version 2.0.0

  6. The command output should return the path to the new Kubeconfig file:

    New config written to the Kubeconfig file /home/user/.kube/config

  7. Run the kubectl get namespaces command to identify your Kubernetes user-workload namespaces. A Kubernetes user-workload namespace is a logical partition within an OKE cluster intended for hosting applications and services deployed by users or development teams:

    kubectl get namespaces

  8. The command output should return a list with all namespaces. OCI Kubernetes Engine (OKE) clusters come with several default namespaces. Exclude the default OKE system namespaces (i.e., kube-system, kube-public, kube-node-lease, and default) from your check:

    NAME                 STATUS   AGE
default              Active   16d
kube-node-lease      Active   16d
kube-public          Active   16d
kube-system          Active   16d
...
dev                  Active   16d
staging              Active   16d
prod                 Active   16d

  9. Run the kubectl get rolebinding command to check for any RoleBinding that grants permissions directly to the default service account within the specified namespace. Replace \<user-workload-namespace\> with the name of your own namespace:

    kubectl get rolebindings -n <user-workload-namespace> -o json | jq -r '.items[] | select(.subjects[]?.name == "default" and .subjects[]?.kind == "ServiceAccount") | .metadata.name'

  10. The command output should return the names of the RoleBindings within the specified namespace that grant permissions to the default service account:

    default-reader-rolebinding
default-metrics-access

    If the command output returns one or more results, the presence of the RoleBindings confirms that the default service account has explicit privileges. To enforce the Principle of Least Privilege (POLP), it is mandatory to revoke these bindings. The recommended practice is to create and use custom service accounts, explicitly assigning only the necessary permissions.

Remediation / Resolution

To ensure the default service accounts are not actively used within your OCI Kubernetes Engine (OKE) clusters, perform the following actions:

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run ce cluster list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each OCI Kubernetes Engine (OKE) cluster available in the selected OCI compartment:

    oci ce cluster list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested OKE cluster IDs:

    [
	"ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.cluster.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run ce cluster create-kubeconfig command (Windows/macOS/Linux) with the ID of the OCI Kubernetes Engine (OKE) cluster that you want to access as the identifier parameter, to generate and configure the Kubernetes configuration file (kubeconfig) that the kubectl tool needs to securely communicate with and manage the selected OKE cluster:

    oci ce cluster create-kubeconfig
	--cluster-id 'ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--file $HOME/.kube/config
	--kube-endpoint PUBLIC_ENDPOINT
	--region 'ap-sydney-1'
	--token-version 2.0.0

  6. The command output should return the path to the new Kubeconfig file:

    New config written to the Kubeconfig file /home/user/.kube/config

  7. Run the kubectl get clusterrolebindings command to prevent the default service account's authentication token from being automatically placed into new pods that use it:

    kubectl patch serviceaccount default -p $'automountServiceAccountToken: false'

  8. The command output should return the confirmation status:

    serviceaccount/default patched

  9. Run the kubectl create serviceaccount command to create a new service account in the specified namespace. Replace and \<custom-service-account\></strong> and \<user-workload-namespace\> with your own details:

    kubectl create serviceaccount <custom-service-account> -n <user-workload-namespace>

  10. The command output should return the confirmation status:

    serviceaccount/<custom-service-account> created

  11. Run the kubectl create rolebinding command to grant permissions (RoleBinding). Create a role (or use an existing one) that defines the minimum required access (least privilege), then use a RoleBinding to grant that specific role to your new service account within the specified namespace. Once the necessary permissions are granted, you can assign the service account to your workload. Replace \<binding-name\>, \<role-name\>, \<custom-service-account\> and \<user-workload-namespace\> with your own details:

    kubectl create rolebinding <binding-name> --role=<role-name> --serviceaccount=<user-workload-namespace>:<custom-service-account> -n <user-workload-namespace>

  12. The command output should return the confirmation status:

    rolebinding.rbac.authorization.k8s.io/<binding-name> created

References

Publication date Dec 11, 2025

Related OCI-OKE rules