ServiceAccount not specified in container

ServiceAccounts grant Kubernetes API permissions to workloads. To use a non-default ServiceAccount, the serviceAccountName field property should be set. This validator detects when there is no ServiceAccount explicitly set on a workload.

Affected Resources: Deployment, DaemonSet, StatefulSet, CronJob, Job, ReplicaSet, Pod

Example

kind: Deployment
spec:
  template:
    spec:
    # serviceAccountName:    # field not set
...

Resolution

This condition doesn't always indicate an error. It is a useful tool for SREs to quickly identify which workloads don't have ServiceAccounts explicitly associated. This validator is disabled by default.

Learn More

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

RBAC

Unresolved Role reference in RoleBinding

Need other validation rules?

Please let us know if there are other built-in validation rules you would like to see in Kubevious to detect misconfigurations and violations to best practices. Optionally, you can provide your details so we can reach out to you with follow-up questions.

Share this article on: