KubernetesOverview
Service accounts tokens should not be mounted in pods except where the workload running in the pod explicitly needs to communicate with the API server.
Rationale
Mounting service account tokens inside pods can provide an avenue for privilege escalation attacks where an attacker is able to compromise a single pod in the cluster. Avoiding mounting these tokens removes this attack avenue.
Impact
Pods mounted without service account tokens will not be able to communicate with the API server, except where the resource is available to unauthenticated principals.
Default value
By default, all pods get a service account token mounted in them.
Remediation guidance
Modify the definition of pods and service accounts which do not need to mount service account tokens to disable it.
References
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Kubernetes
Use admission policies, baseline cluster configuration, GitOps templates, and namespace or workload guardrails so new deployments follow the control by default.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Kubernetes CronJobs pod template which automounts service accounts
Connectors
Covered asset types
Expected check: eq []
{
cronJobs(
where: {
podTemplate: {
isAutomountServiceAccountTokenSet: true
automountServiceAccountToken: true
}
}
) {
...AssetFragment
}
}Kubernetes Jobs pod templates which automounts service accounts
Connectors
Covered asset types
Expected check: eq []
{
jobs(
where: {
cronJobName: ""
podTemplate: {
isAutomountServiceAccountTokenSet: true
automountServiceAccountToken: true
}
}
) {
...AssetFragment
}
}Kubernetes DaemonSets pod templates which automounts service accounts
Connectors
Covered asset types
Expected check: eq []
{
daemonSets(
where: {
podTemplate: {
isAutomountServiceAccountTokenSet: true
automountServiceAccountToken: true
}
}
) {
...AssetFragment
}
}Kubernetes Deployments pod templates which automounts service accounts
Connectors
Covered asset types
Expected check: eq []
{
deployments(
where: {
podTemplate: {
isAutomountServiceAccountTokenSet: true
automountServiceAccountToken: true
}
}
) {
...AssetFragment
}
}Kubernetes ReplicaSets pod templates which automounts service accounts
Connectors
Covered asset types
Expected check: eq []
{
replicaSets(
where: {
deploymentName: ""
podTemplate: {
isAutomountServiceAccountTokenSet: true
automountServiceAccountToken: true
}
}
) {
...AssetFragment
}
}
Kubernetes StatefulSets pod templates which automounts service accounts
Connectors
Covered asset types
Expected check: eq []
{
statefulSets(
where: {
podTemplate: {
isAutomountServiceAccountTokenSet: true
automountServiceAccountToken: true
}
}
) {
...AssetFragment
}
}
