By default, Tanzu Kubernetes Grid (TKG) workload clusters deployed by standalone management clusters are hardened to the levels shown in STIG Results and Exceptions and CIS Results and Exceptions (see here). CIS scans can throw up failures though for default service accounts in the TMC managed namespaces.

Kubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. In order for clusters to be CIS 5.1.5 compliant, a specific service account should be created for each pod where access to the kubernetes API is required. The default service account should be configured so that it does not provide a service account token and does not have any explicit rights assignments.

The default service accounts need to be configured with the "automountServiceAccountToken: false" parameter. This needs to be done on the TMC Engineering side and will be included in a future version of TMC. This KB article will be updated once the fix is released.