Unused ServiceAccount

ServiceAccounts grant Kubernetes API permissions to workloads. This validator detects ServiceAccounts that are not associated with any workloads. This check is ignored for "default" ServiceAccounts.

Affected Resources: ServiceAccount

Examples

apiVersion: v1
kind: ServiceAccount
metadata:
  name: robot                            # Unused Service Account

kind: Deployment
spec:
  template:
    spec:
      serviceAccountName: build-robot    # Was this a typo?
...

Resolution

Examine applications within the namespace and determine if the ServiceAccount is supposed to be used in workloads.

If the ServiceAccount is supposed to be used, either correct the ServiceAccount name or the reference in the workload.

If the ServiceAccount is indeed unused, it may need to be just removed.

Learn More

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

Unused RoleBinding

Security

Need other validation rules?

Please let us know if there are other built-in validation rules you would like to see in Kubevious to detect misconfigurations and violations to best practices. Optionally, you can provide your details so we can reach out to you with follow-up questions.

Share this article on: