Both, the Kubernetes and OpenShift CIS Benchmark have the same wording in the Rational for "5.1.5 Ensure that default service accounts are not actively used" which though is not really considered a rational and hence should be changed.

"Rationale: Kubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments."

Specifically the part "The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments." should be adjusted as this is not really clear or providing a rational.

Our suggestion would be something like "The default service account should be configured to ensure that it does not automatically provide a service account token, and it must not have any non-default role bindings or custom role assignments."

So at the end, the Ratinoal may look something like the below example (feel free to adjust the wording as you feel suitable)

"Rationale: Kubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured to ensure that it does not automatically provide a service account token, and it must not have any non-default role bindings or custom role assignments."

OpenShift Container Platform 4

Always

1. N/A

"Rationale: Kubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments."

A more clear/suitable explanation in the Rational such as the example below.

"Rationale: Kubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured to ensure that it does not automatically provide a service account token, and it must not have any non-default role bindings or custom role assignments."