Profile applicability: Level 1
Service accounts tokens should not be mounted in pods except where the workload running
in the pod explicitly needs to communicate with the API server.
Mounting service account tokens inside pods can provide an avenue for privilege escalation
attacks where an attacker is able to compromise a single pod in the cluster.
Avoiding mounting these tokens removes this attack avenue.
 |
NoteBy default, all pods get a service account token mounted in them.
|
Impact
Pods mounted without service account tokens will not be able to communicate with the
API server, except where the resource is available to unauthenticated principals.
Audit
Review pod and service account objects in the cluster and ensure that the option below
is set, unless the resource explicitly requires this access:
automountServiceAccountToken: false
Remediation
Regularly review pod and service account objects in the cluster to ensure that the
automountServiceAccountToken setting is false for pods and accounts that do not explicitly require API server access.