Back to all scenarios
Scenario #246
Security
K8s v1.22, Google Cloud

Excessive Privileges for Service Accounts

Service accounts were granted excessive privileges, allowing them to perform operations outside their intended scope, increasing the risk of compromise.

Find this helpful?
What Happened

Service accounts were assigned broad permissions that allowed them to perform sensitive actions, such as modifying cluster configurations and accessing secret resources.

Diagnosis Steps
  • 1Audited RBAC configurations and identified several service accounts with excessive privileges.
  • 2Cross-referenced service account usage with pod deployment and confirmed unnecessary access.
Root Cause

Overly permissive RBAC roles and service account configurations granted excessive privileges.

Fix/Workaround
• Updated RBAC roles to follow the principle of least privilege, ensuring service accounts only had the minimum necessary permissions.
• Regularly audited service accounts to verify proper access control.
Lessons Learned

Service accounts should follow the principle of least privilege to limit the impact of any compromise.

How to Avoid
  • 1Review and restrict service account permissions regularly to ensure they have only the necessary privileges.
  • 2Implement role-based access control (RBAC) policies that enforce strict access control.
Previous ScenarioNext Scenario