🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-kubernetes-compliance
Overview
4Dashboards
790Benchmarks
781Queries
2Variables
GitHub

Control: RoleBinding subjects should not actively use default service accounts

Description

Default service accounts should not be used by RoleBinding subjects.

Usage

Run the control in your terminal:

powerpipe control run kubernetes_compliance.control.role_binding_default_service_account_binding_not_active

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run kubernetes_compliance.control.role_binding_default_service_account_binding_not_active --share

SQL

This control uses a named query:

select
  coalesce(uid, concat(path, ':', start_line)) as resource,
  case
    when (subject ->> 'kind') = 'ServiceAccount' and (subject ->> 'name') = 'default' then 'alarm'
    else 'ok'
  end as status,
  case
    when (subject ->> 'kind' = 'ServiceAccount') and (subject ->> 'name' = 'default') then name || ' default service accounts active.'
    else name || ' default service accounts not active.'
  end as reason,
  name as role_binding_name
  
  , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as path
from
  kubernetes_role_binding,
  jsonb_array_elements(subjects) as subject;

Tags

category = Compliance
plugin = kubernetes
service = Kubernetes/RoleBinding