Service account spec 'automountServiceAccountToken' should be set to 'false' Affecting Authorization service in Kubernetes

Snyk CCSS

Containers / Best Practices

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Kubernetes

Snyk ID SNYK-CC-00654
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Avoid auto mounting tokens for the default service account. The default service account should not be used and its ability to provide API credentials should be disabled.

How to fix?

Set the automountServiceAccountToken attribute to false.

Example Configuration

apiVersion: v1
kind: ServiceAccount
metadata:
  name: valid-serviceaccount
automountServiceAccountToken: false

Kubernetes

ServiceAccount

Terraform

kubernetes_service_account

References

Configure Service Accounts for Pods