Checks for service account defined for GKE nodes
Default Severity: medium
Explanation
You should create and use a minimally privileged service account to run your GKE cluster instead of using the Compute Engine default service account.
Possible Impact
Service accounts with wide permissions can increase the risk of compromise
Suggested Resolution
Use limited permissions for service accounts to be effective
Insecure Example
The following example will fail the google-gke-use-service-account check.
resource "google_container_cluster" "bad_example" {
node_config {
}
}
Secure Example
The following example will pass the google-gke-use-service-account check.
resource "google_container_cluster" "good_example" {
node_config {
service_account = "cool-service-account@example.com"
}
}