Pod spec 'automountServiceAccountToken' should be set to 'false' Affecting Service service in Kubernetes


Severity

0.0
low
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    IAM / Public Access

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
    CIS-Kubernetes
  • Snyk ID SNYK-CC-00655
  • credit Snyk Research Team

Description

Service account 'automountServiceAccountToken' should be set to 'false'. Avoid automounting service account tokens. Service account tokens are used to authenticate requests from in-cluster processes to the Kubernetes API server. Many workloads do not need to communicate with the API server and hence should have automountServiceAccountToken set to false.

How to fix?

Set the spec.automountServiceAccountToken attribute in Podsand ServiceAccount to false.

Example Configuration

apiVersion: v1
kind: ServiceAccount
metadata:
  name: valid-sa
automountServiceAccountToken: false

---
apiVersion: v1
kind: Pod
metadata:
  name: valid-pod
spec:
  serviceAccountName: valid-sa
  automountServiceAccountToken: false
  containers:
    - image: nginx:1.21.6
      name: nginx