Pattern: Checks for service account defined for GKE nodes
Issue: -
You should create and use a minimally privileged service account to run your GKE cluster instead of using the Compute Engine default service account.
Resolution: Use limited permissions for service accounts to be effective.
Example of incorrect code:
resource "google_container_cluster" "bad_example" {
node_config {
}
}Example of correct code:
resource "google_container_cluster" "good_example" {
node_config {
service_account = "cool-service-account@example.com"
}
}