A service account is assigned to a pod by the field
If not set, the default service account is used.
automountServiceAccountToken configures if its credentials should be mounted automatically.
This also overwrites automount settings of the ServiceAccount object.
Any other setting than
automountServiceAccountToken: false violates this policy.
If the container is compromised, the attacker could read the mounted token. With these credentials the Kubernetes API could be accessed from within the pod. The attacker would acquire all privileges of the assigned service account. Therefore, the service account token should only be mounted to pods when absolutely necessary.
Note that this policy is part of the following security standards:
cis/kubernetes: CIS Kubernetes Benchmark v1.6.0: Section 5.1.6
bsi/kubernetes: BSI IT-Grundschutz "Kubernetes": Section: APP.4.4.A9
nsa/kubernetes: Kubernetes Hardening Guidance v1.0: Protecting Pod service account tokens
- name: nginx
- containerPort: 80
+ automountServiceAccountToken: false
securitytower.io/policy.exclusion.enforcenoautomountserviceaccounttokenas on the example below.
apiVersion: apps/v1 kind: Deployment metadata: name: your-deployment annotations: securitytower.io/policy.exclusion.enforcenoautomountserviceaccounttoken: |- Pods of this deployment must be able to access the Kubernetes API in order to work correctly. ...