Skip to main content

Auto ServiceAccount token mounted (GITA-SEC-005)

Service Accounts are a Kubernetes native solution for controlling authentication and when used in conjunction with Roles also enable resource access control. It uses a signed JWT to authenticate with the API Server, typically generated by the Admission controller.

Every Pod has a Service Account, using the namespace's default one when not explicitly set. Once the Pod's container has access to the Service Account token, it gains full access to the Kubernetes API, as it can then authenticate with the API Server. However, the only use case where a container may require access to the Kubernetes API is when it's directly interacting with the cluster and its resources. For programs not falling under such use case, access to the Service Account token only increases the attack surface to the cluster.

For that reason, Service Account tokens are not made available to the container by default, but can be configured to be automatically mounted through the manifest option automountServiceAccountToken. In order to explicitly disable this feature, set the option to false as follows:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: example-sa
automountServiceAccountToken: false

The same option can be set on Pod manifests, as can be seen on the example below:

apiVersion: v1
kind: Pod
metadata:
  name: redis
spec:
  containers:
    - name: redis
      image: redis:latest
  automountServiceAccountToken: false

For more information, visit the Kubernetes documentation