Ensure service account tokens are mounted where necessary

Error: Service account tokens are not mounted where necessary

Bridgecrew Policy ID: BC_K8S_35
Checkov Check ID: CKV_K8S_38
Severity: LOW

Service account tokens are not mounted where necessary

Description

One way to authenticate the API is by using the Service Account token. ServiceAccount is an object managed by Kubernetes and used to provide an identity for processes that run in a pod. Every service account has a secret related to it, this secret contains a bearer token. This is a JSON Web Token (JWT), a method for representing claims securely between two parties.

This Service Account token is being used during the authentication stage and can become useful for attackers if the service account is privileged and they have access to such a token. With this token an attacker can easily impersonate the service account and use REST APIs.

Fix - Buildtime

Kubernetes

  • Resource: Pod / Deployment / DaemonSet / StatefulSet / ReplicaSet / ReplicationController / Job / CronJob
  • Argument: automountServiceAccountToken (Optional)
    When set to false, you can opt out of automounting API credentials for a service account.
apiVersion: v1
kind: Pod
metadata:
  name: <name>
spec:
+  automountServiceAccountToken: false
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: <name>
spec:
  schedule: <>
  jobTemplate:
    spec:
      template:
        spec:
+  			automountServiceAccountToken: false
apiVersion: <>
kind: <kind>
metadata:
  name: <name>
spec:
  template:
  	spec:
+  		automountServiceAccountToken: false