gke/SEC/2021_001

Product: Google Kubernetes Engine
Rule class: SEC - Potential security issue

Description

The GCE default service account has more permissions than are required to run your Kubernetes Engine cluster.

Remediation

You should either use GKE Workload Identity or create and use a minimally privileged service account.

Further information

• Hardening your cluster’s security