lacework-agent uses default service account by default

[joebowbeer]

By default, Lacework uses the default service account, which is something that CIS Benchmark recommends against:

Create explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server.

I noticed that a serviceAccountName has been added to laceworkConfig. However, this appears to be specific to OpenShift, and assigning a value to this will not create a ServiceAccount resource with this name.

[cirego]

Hi @joebowbeer, thanks for raising this. By default, the Lacework agent does not access the Kubernetes API server.

However, we do have a feature in preview where a Lacework workload will access the Kubernetes API server. If that feature is enabled in the Helm Charts, then the charts will create a service account for the workload that is accessing the API server. I believe we are already addressing your concern.

Does this make sense and does this satisfy your concern?

[joebowbeer]

Thanks for clarification.

Because Lacework is not naming its own service account, it is using the default one.

I think it would be better to be explicit and create a dedicated one. That would bring Lacework into compliance with the CIS Benchmark recommendation which states:

Ensure that default service accounts are not actively used

By the way, why is automountServiceAcountToken not disabled for the default service account in the lacework namespace? If the lacework daemonset is going to use the default service account but not use the k8s API, then I suggest disabling automountServiceAcountToken.