One way to authenticate the API is by using the Service Account token. ServiceAccount is an object managed by Kubernetes and used to provide an identity for processes that run in a pod. Every service account has a secret related to it, this secret contains a bearer token. This is a JSON Web Token (JWT), a method for representing claims securely between two parties.
This Service Account token is being used during the authentication stage and can become useful for attackers if the service account is privileged and they have access to such a token. With this token an attacker can easily impersonate the service account and use REST APIs.
- Resource: Pod / Deployment / DaemonSet / StatefulSet / ReplicaSet / ReplicationController / Job / CronJob
- Argument: automountServiceAccountToken (Optional)
When set to false, you can opt out of automounting API credentials for a service account.
apiVersion: v1 kind: Pod metadata: name: <name> spec: + automountServiceAccountToken: false
apiVersion: batch/v1beta1 kind: CronJob metadata: name: <name> spec: schedule: <> jobTemplate: spec: template: spec: + automountServiceAccountToken: false
apiVersion: <> kind: <kind> metadata: name: <name> spec: template: spec: + automountServiceAccountToken: false
Updated over 1 year ago