A ServiceAccount is bound to cluster-admin (or equivalent). Workloads using this account have full cluster access; a compromise can lead to cluster takeover.
Warning
N/A
- Report shows that a ServiceAccount has cluster-admin
- ServiceAccount is subject of a ClusterRoleBinding to cluster-admin
- Replace with a Role or limited ClusterRole that grants only required permissions
- Prefer namespace-scoped Role and RoleBinding for application ServiceAccounts
- Use dedicated ServiceAccounts per workload and avoid sharing high-privilege accounts
- Audit which pods use the ServiceAccount and reduce scope