diff --git a/content/rancher/v2.x/en/security/benchmark-2.3.5/_index.md b/content/rancher/v2.x/en/security/benchmark-2.3.5/_index.md index 93ff61ceed9..2d836d12fc0 100644 --- a/content/rancher/v2.x/en/security/benchmark-2.3.5/_index.md +++ b/content/rancher/v2.x/en/security/benchmark-2.3.5/_index.md @@ -1975,7 +1975,7 @@ systemctl restart kubelet.service #### 5.1.5 Ensure that default service accounts are not actively used. (Scored) -**Result:** PASS +**Result:** FAIL **Remediation:** Create explicit service accounts wherever a Kubernetes workload requires specific access diff --git a/content/rancher/v2.x/en/security/benchmark-2.4/_index.md b/content/rancher/v2.x/en/security/benchmark-2.4/_index.md index 30841ba2027..e5a16487085 100644 --- a/content/rancher/v2.x/en/security/benchmark-2.4/_index.md +++ b/content/rancher/v2.x/en/security/benchmark-2.4/_index.md @@ -1975,7 +1975,7 @@ systemctl restart kubelet.service #### 5.1.5 Ensure that default service accounts are not actively used. (Scored) -**Result:** PASS +**Result:** FAIL **Remediation:** Create explicit service accounts wherever a Kubernetes workload requires specific access @@ -2006,7 +2006,7 @@ if [[ "${accounts}" != "" ]]; then exit 1 fi -default_binding="$(kubectl get rolebindings,clusterrolebindings -A -o json | jq -r '.items[] | select(.subjects[].kind=="ServiceAccount" and .subjects[].name=="default" and .metadata.name=="default").metadata.uid' | wc -l)" +default_binding="$(kubectl get rolebindings,clusterrolebindings -A -o json | jq -r '.items[] | select(.subjects[].kind=="ServiceAccount" and .subjects[].name=="default" and .metadata.name!="default").metadata.uid' | wc -l)" if [[ "${default_binding}" -gt 0 ]]; then echo "fail: default service accounts have non default bindings" diff --git a/content/rancher/v2.x/en/security/hardening-2.3.5/_index.md b/content/rancher/v2.x/en/security/hardening-2.3.5/_index.md index 75a48a7ba50..383cb7c02b9 100644 --- a/content/rancher/v2.x/en/security/hardening-2.3.5/_index.md +++ b/content/rancher/v2.x/en/security/hardening-2.3.5/_index.md @@ -24,7 +24,8 @@ For more detail about evaluating a hardened cluster against the official CIS ben #### Known Issues -Rancher **exec shell** and **view logs** for pods are **not** functional in a cis 1.5 hardened setup when only public ip is provided when registering custom nodes. +- Rancher **exec shell** and **view logs** for pods are **not** functional in a cis 1.5 hardened setup when only public ip is provided when registering custom nodes. +- When setting the `default_pod_security_policy_template_id:` to `restricted` Rancher creates **RoleBindings** and **ClusterRoleBindings** on the default service accounts. The default service accounts should be configured such that it does not provide a service account token and does not have any explicit rights assignments. ### Configure Kernel Runtime Parameters diff --git a/content/rancher/v2.x/en/security/hardening-2.4/_index.md b/content/rancher/v2.x/en/security/hardening-2.4/_index.md index 494a509d7fc..ce11610407e 100644 --- a/content/rancher/v2.x/en/security/hardening-2.4/_index.md +++ b/content/rancher/v2.x/en/security/hardening-2.4/_index.md @@ -24,7 +24,8 @@ For more detail about evaluating a hardened cluster against the official CIS ben #### Known Issues -Rancher **exec shell** and **view logs** for pods are **not** functional in a cis 1.5 hardened setup when only public ip is provided when registering custom nodes. +- Rancher **exec shell** and **view logs** for pods are **not** functional in a cis 1.5 hardened setup when only public ip is provided when registering custom nodes. +- When setting the `default_pod_security_policy_template_id:` to `restricted` Rancher creates **RoleBindings** and **ClusterRoleBindings** on the default service accounts. The default service accounts should be configured such that it does not provide a service account token and does not have any explicit rights assignments. ### Configure Kernel Runtime Parameters