Pod spec 'automountServiceAccountToken' should be set to 'false' Affecting Service service in Kubernetes
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00655
- creditSnyk Research Team
Description
Service account 'automountServiceAccountToken' should be set to 'false'. Avoid automounting service account tokens. Service account tokens are used to authenticate requests from in-cluster processes to the Kubernetes API server. Many workloads do not need to communicate with the API server and hence should have automountServiceAccountToken set to false.
How to fix?
Set the spec.automountServiceAccountToken attribute in Podsand ServiceAccount to false.
Example Configuration
apiVersion: v1
kind: ServiceAccount
metadata:
name: valid-sa
automountServiceAccountToken: false
---
apiVersion: v1
kind: Pod
metadata:
name: valid-pod
spec:
serviceAccountName: valid-sa
automountServiceAccountToken: false
containers:
- image: nginx:1.21.6
name: nginx
Set the automount_service_account_token attribute in kubernetes_service_account and Kubernetes.Pod to false,by default, a service account token is automounted in all pods.
Example Configuration
resource "kubernetes_service_account" "allowed1" {
metadata {
name = "allowed-service-account"
}
automount_service_account_token = false
}
resource "kubernetes_pod" "allowed2" {
metadata {
name = "allowed-service-account-pod"
}
spec {
service_account_name = "allowed-service-account"
automount_service_account_token = false
container {
name = "nginx-container-1"
image = "nginx:1.21.6"
}
}
}