CKS Mock1 1st Question

It is being asked to utilize the service account with least privileges (Apply the principle of least privilege and use the service account with the minimum privileges (excluding the default service account)

We have 4 serviceaccounts in omni ns
NAME SECRETS AGE
default 1 2m35s
fe 1 2m35s
frontend 1 2m34s
frontend-default 1 2m34s

Deault needs to be excluded as mentinoned in the question

serviceaccount fe is bound to rolebinding fe which has role fe.
root@controlplane:/# kubectl describe role fe -n omni
Name: fe
Labels:
Annotations:
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs


configmaps [] [] [create delete]
secrets [] [] [create delete]

serviceaccount frontend is bound to rolebinding frontend which has role frontend.
root@controlplane:/# kubectl describe role frontend -n omni
Name: frontend
Labels:
Annotations:
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs


secrets [] [] [create]

How could serviceaccount frontend-default be the one which has least privileges , as it is not attached to any of the two rolebindings? The least privilege service account in this case should be privilege whose role allows to create secrets only.

@mmumshad @vijin.palazhi

1 Like

hi Guys, @mmumshad @vijin.palazhi. Can you please help?

Hello, @sam007

Yeah, if it’s not bound with any rolebinding or clusterrolebinding.

No, it should follow the rule of least privilege that means if it’s not bound with any role, we can consider the least privilege compared to the others who have 1 or 2 privileges.

Thanks @Tej-Singh-Rana . Just trying to reiterate, the serviceaccount which is not bound to a any role via rolebinding would be least privilege as compared to a serviceaccount which is bound to a rolebinding.
Can you please confirm.