From 178f2cf3afe1be0ab5486a1cc218070246278035 Mon Sep 17 00:00:00 2001
From: Nelson Roberts <nelson@rancher.com>
Date: Fri, 5 Jun 2020 16:20:43 -0700
Subject: [PATCH] EIO-4: corrections needed to address issues found in 5.1.5
 tests

---
 content/rancher/v2.x/en/security/benchmark-2.3.5/_index.md | 2 +-
 content/rancher/v2.x/en/security/benchmark-2.4/_index.md   | 4 ++--
 content/rancher/v2.x/en/security/hardening-2.3.5/_index.md | 3 ++-
 content/rancher/v2.x/en/security/hardening-2.4/_index.md   | 3 ++-
 4 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/content/rancher/v2.x/en/security/benchmark-2.3.5/_index.md b/content/rancher/v2.x/en/security/benchmark-2.3.5/_index.md
index 93ff61ceed9..2d836d12fc0 100644
--- a/content/rancher/v2.x/en/security/benchmark-2.3.5/_index.md
+++ b/content/rancher/v2.x/en/security/benchmark-2.3.5/_index.md
@@ -1975,7 +1975,7 @@ systemctl restart kubelet.service
 
 #### 5.1.5 Ensure that default service accounts are not actively used. (Scored)
 
-**Result:** PASS
+**Result:** FAIL
 
 **Remediation:**
 Create explicit service accounts wherever a Kubernetes workload requires specific access
diff --git a/content/rancher/v2.x/en/security/benchmark-2.4/_index.md b/content/rancher/v2.x/en/security/benchmark-2.4/_index.md
index 30841ba2027..e5a16487085 100644
--- a/content/rancher/v2.x/en/security/benchmark-2.4/_index.md
+++ b/content/rancher/v2.x/en/security/benchmark-2.4/_index.md
@@ -1975,7 +1975,7 @@ systemctl restart kubelet.service
 
 #### 5.1.5 Ensure that default service accounts are not actively used. (Scored)
 
-**Result:** PASS
+**Result:** FAIL
 
 **Remediation:**
 Create explicit service accounts wherever a Kubernetes workload requires specific access
@@ -2006,7 +2006,7 @@ if [[ "${accounts}" != "" ]]; then
   exit 1
 fi
 
-default_binding="$(kubectl get rolebindings,clusterrolebindings -A -o json | jq -r '.items[] | select(.subjects[].kind=="ServiceAccount" and .subjects[].name=="default" and .metadata.name=="default").metadata.uid' | wc -l)"
+default_binding="$(kubectl get rolebindings,clusterrolebindings -A -o json | jq -r '.items[] | select(.subjects[].kind=="ServiceAccount" and .subjects[].name=="default" and .metadata.name!="default").metadata.uid' | wc -l)"
 
 if [[ "${default_binding}" -gt 0 ]]; then
 	echo "fail: default service accounts have non default bindings"
diff --git a/content/rancher/v2.x/en/security/hardening-2.3.5/_index.md b/content/rancher/v2.x/en/security/hardening-2.3.5/_index.md
index 75a48a7ba50..383cb7c02b9 100644
--- a/content/rancher/v2.x/en/security/hardening-2.3.5/_index.md
+++ b/content/rancher/v2.x/en/security/hardening-2.3.5/_index.md
@@ -24,7 +24,8 @@ For more detail about evaluating a hardened cluster against the official CIS ben
 
 #### Known Issues
 
-Rancher **exec shell** and **view logs** for pods are **not** functional in a cis 1.5 hardened setup when only public ip is provided when registering custom nodes.
+- Rancher **exec shell** and **view logs** for pods are **not** functional in a cis 1.5 hardened setup when only public ip is provided when registering custom nodes.
+- When setting the `default_pod_security_policy_template_id:` to `restricted` Rancher creates **RoleBindings** and **ClusterRoleBindings** on the default service accounts. The default service accounts should be configured such that it does not provide a service account token and does not have any explicit rights assignments.
 
 ### Configure Kernel Runtime Parameters
 
diff --git a/content/rancher/v2.x/en/security/hardening-2.4/_index.md b/content/rancher/v2.x/en/security/hardening-2.4/_index.md
index 494a509d7fc..ce11610407e 100644
--- a/content/rancher/v2.x/en/security/hardening-2.4/_index.md
+++ b/content/rancher/v2.x/en/security/hardening-2.4/_index.md
@@ -24,7 +24,8 @@ For more detail about evaluating a hardened cluster against the official CIS ben
 
 #### Known Issues
 
-Rancher **exec shell** and **view logs** for pods are **not** functional in a cis 1.5 hardened setup when only public ip is provided when registering custom nodes.
+- Rancher **exec shell** and **view logs** for pods are **not** functional in a cis 1.5 hardened setup when only public ip is provided when registering custom nodes.
+- When setting the `default_pod_security_policy_template_id:` to `restricted` Rancher creates **RoleBindings** and **ClusterRoleBindings** on the default service accounts. The default service accounts should be configured such that it does not provide a service account token and does not have any explicit rights assignments.
 
 ### Configure Kernel Runtime Parameters