Enforce No Automount Service Account Token 1.0.2

A service account is assigned to a pod by the field serviceAccountName. If not set, the default service account is used. The field automountServiceAccountToken configures if its credentials should be mounted automatically. This also overwrites automount settings of the ServiceAccount object. Any other setting than automountServiceAccountToken: false violates this policy.

If the container is compromised, the attacker could read the mounted token. With these credentials the Kubernetes API could be accessed from within the pod. The attacker would acquire all privileges of the assigned service account. Therefore, the service account token should only be mounted to pods when absolutely necessary.


Note that this policy is part of the following security standards:

  • cis/kubernetes: CIS Kubernetes Benchmark v1.6.0: Section 5.1.6
  • bsi/kubernetes: BSI IT-Grundschutz "Kubernetes": Section: APP.4.4.A9
  • nsa/kubernetes: Kubernetes Hardening Guidance v1.0: Protecting Pod service account tokens
  • Security
  • bsi/kubernetes
  • cis/kubernetes
  • nsa/kubernetes

Applies to

  • Pod
  • ReplicaSet
  • ReplicationController
  • Deployment
  • StatefulSet
  • DaemonSet
  • Job
  • CronJob

Example

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: nginx:1.21.3
          ports:
            - containerPort: 80
+     automountServiceAccountToken: false

Risk acceptance

Use the annotation securitytower.io/policy.exclusion.enforcenoautomountserviceaccounttoken as on the example below.
apiVersion: apps/v1
kind: Deployment
metadata:
  name: your-deployment
  annotations:
    securitytower.io/policy.exclusion.enforcenoautomountserviceaccounttoken: |-
      Pods of this deployment must be able to access the Kubernetes API in order to work correctly.
...