Outcome Overview

Security Conscious customers would like to have hardened OpenShift Platform environment. Some Customer teams have flagged use of Default Service Account by OpenShift Platform Operators as a security concern. 

From ProdSec:

Although OpenShift’s “default” service account offers convenience, its broad and undifferentiated use in production spreads risk, complicates auditing, and violates the principle of least privilege. One should proactively create dedicated service accounts, enforce explicit references in PodSpecs, and leverage OpenShift’s RBAC and SCC features to tighten security. 

Success Criteria

RedHat OpenShift Operators use dedicated SAs that have minimal set of permissions necessary for usage. These are Operators in Openshift-, Kube- and Default namespaces.  If there are any Operators that specifically need default SAs, these need to have a well-documented explanation on why this is necessary and any security remediations available to scope permissions accordingly.  __ 

Expected Results (what, how, when)

CI can use such gating mechanism to ensure ALL Operators deployed in the Openshift-, Kube- namespaces follow the best practices  going forward. 

This can be easily tested using Kyverno, as shared here: https://github.com/boazmichaely/kyverno-default-sa-policy. This repo contains installation instructions, a  Kyverno policy, and a shell script to produce a clean report. Attached, AS AN EXAMPLE the output of this report on an OOTB cluster created with ACS "Infra" service. Note that such a cluster does not provide sufficient representation of the customer environment, and it lacks any overlay operators

Further, you can easily add a RHACS policy to flag this. The attached RHACS policy alertr on usage of default SAs where the service account has elevated privileges.

Expected outcome is to not have any violations associated with usage of Default SAs by Platform Operators in OpenShift-* , Kube-*  namespaces. 

Expected outcome is to have only minimal permissions associated with the Service accounts used. 

Expected outcome also would be to have all OpenShift Platform Operators "Pin" SCCs to the dedicated Service Accounts 

Post Completion Review – Actual Results

After completing the work (as determined by the "when" in Expected Results above), list the actual results observed / measured during Post Completion review(s).