Google CloudOverview
GKE nodes should use a dedicated IAM service account with only the permissions required for cluster operations. Using the Compute Engine default service account for node access increases blast radius if a node or workload is compromised.
Rationale
Google documents that GKE uses node service accounts for system tasks such as logging and monitoring. The safer pattern is to create a dedicated node service account, grant only the required roles, and keep workload access separate through Workload Identity Federation for GKE where possible.
Remediation guidance
Using Command Line
Create a dedicated node service account:
export PROJECT_ID=$(gcloud config get-value project)
export NODE_SA_NAME=gke-node-sa
gcloud iam service-accounts create $NODE_SA_NAME --display-name="GKE Node Service Account"
export NODE_SA_EMAIL="$NODE_SA_NAME@$PROJECT_ID.iam.gserviceaccount.com"
Grant the minimum roles GKE documents for node operation:
gcloud projects add-iam-policy-binding $PROJECT_ID --member="serviceAccount:$NODE_SA_EMAIL" --role="roles/container.defaultNodeServiceAccount"
gcloud projects add-iam-policy-binding $PROJECT_ID --member="serviceAccount:$NODE_SA_EMAIL" --role="roles/logging.logWriter"
gcloud projects add-iam-policy-binding $PROJECT_ID --member="serviceAccount:$NODE_SA_EMAIL" --role="roles/monitoring.metricWriter"
gcloud projects add-iam-policy-binding $PROJECT_ID --member="serviceAccount:$NODE_SA_EMAIL" --role="roles/monitoring.viewer"
Create a replacement node pool that uses the dedicated account:
gcloud container node-pools create secure-pool --cluster=[CLUSTER_NAME] --location=[LOCATION] --service-account="$NODE_SA_EMAIL"
Drain workloads to the new node pool, then remove the old pool that used the default service account.
Better platform fix
Pair this with Workload Identity Federation for GKE so application Pods do not need to inherit broad node identity permissions.
References
- https://cloud.google.com/kubernetes-engine/docs/how-to/service-accounts
Service-wide remediation
Recommended when many resources are affected: standardize dedicated node service accounts and stop using the Compute Engine default service account for new clusters and node pools.
Bake the dedicated node service account into your cluster and node-pool modules, then enforce the standard through reviews and IaC.
Operational rollout
- Create the dedicated node service account and validate required GKE permissions.
- Roll out replacement node pools using that identity.
- Migrate workloads and decommission node pools that still use the default service account.
Query logic
These are the stored checks tied to this control.
Default Service account is not used for Project access in Kubernetes Clusters
Connectors
Covered asset types
Expected check: eq []
{gkeClusters(where:{nodePools_SOME:{nodeConfig:{serviceAccount:"default"}}}){...AssetFragment}}
