How do I change what permissions the default serviceaccount created in each namespace has? I've tried binding it to a role with few permissions, but since permissions are unioned, it didn't change what I could do with the serviceaccount token. My desired end state would be a default serviceaccount that cannot access /api/vi/secrets.
Is there an elegant way to do this or am I better off creating my own "default" serviceaccount in each namespace with the permissions I want?
We figured this out and I thought I'd post the solution here.
The issue is that once k8s 1.6 and RBAC came to GKE, they didn't want to break everything that used serviceaccounts since they would suddenly find themselves without any permissions. What Google did was they enabled RBAC for users but NOT for serviceaccounts unless you turned on the --no-enable-legacy-authorization on your cluster.
TL;DR there wasn't anything granting the default servieceaccount permissions, rather it was that all serviceaccounts had full permissions because RBAC wasn't enabled for serviceaccounts.
What authorization mode and policy are you using in your cluster?
RBAC and ABAC do not inherently grant service accounts any permissions.
Check the policy you are using and remove any rules that grant API access to all service accounts, then grant permissions to the specific service accounts or groups of service accounts you want to have access.