Pod spec 'automountServiceAccountToken' should be set to 'false' Affecting Service service in Kubernetes

Severity Framework Snyk CCSS

Rule category IAM / Public Access

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Kubernetes

Snyk ID SNYK-CC-00655
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Service account 'automountServiceAccountToken' should be set to 'false'. Avoid automounting service account tokens. Service account tokens are used to authenticate requests from in-cluster processes to the Kubernetes API server. Many workloads do not need to communicate with the API server and hence should have automountServiceAccountToken set to false.

How to fix?

Set the spec.automountServiceAccountToken attribute in Podsand ServiceAccount to false.

Example Configuration

apiVersion: v1
kind: ServiceAccount
metadata:
  name: valid-sa
automountServiceAccountToken: false

---
apiVersion: v1
kind: Pod
metadata:
  name: valid-pod
spec:
  serviceAccountName: valid-sa
  automountServiceAccountToken: false
  containers:
    - image: nginx:1.21.6
      name: nginx

Pod spec 'automountServiceAccountToken' should be set to 'false' Affecting Service service in Kubernetes

Description

How to fix?

Example Configuration

Kubernetes

Terraform

References