A pod uses the default ServiceAccount in the namespace. The default SA is shared and often has more permissions than needed; compromise can affect all workloads in the namespace.
Warning
N/A
- Report shows: Pod <ns>/<name> uses default ServiceAccount
- spec.serviceAccountName is unset or explicitly "default"
- Create a dedicated ServiceAccount per application or team
- Grant the ServiceAccount only the RBAC permissions it needs (Role + RoleBinding)
- Set spec.serviceAccountName on the pod to the dedicated ServiceAccount
- Disable automounting of default SA token where not needed (serviceAccountName + automountServiceAccountToken: false)