For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/kubernetes-service-account-token-automount-not-disabled.md. A documentation index is available at /llms.txt.

Service account token auto-mount not disabled

This product is not supported for your selected Datadog site. ().

Metadata

Id: kubernetes-service-account-token-automount-not-disabled

Platform: Kubernetes

Severity: Medium

Category: Insecure Defaults

Learn More

Description

Service account tokens are automatically mounted even if not necessary. This rule detects workloads where automountServiceAccountToken is set to true on the pod spec or inherited from the referenced ServiceAccount, and flags resources that should set it to false. Pod-level automountServiceAccountToken takes precedence over the ServiceAccount setting. If the pod-level key is missing, the ServiceAccount value is evaluated. The rule reports IncorrectValue when the token is enabled, and MissingAttribute when the attribute is undefined on both the pod and the referenced ServiceAccount.

Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  automountServiceAccountToken: false
  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
  volumes:
    - name: sec-ctx-vol
      emptyDir: { }
  containers:
    - name: sec-ctx-demo
      image: busybox
      command: [ "sh", "-c", "sleep 1h" ]
      volumeMounts:
        - name: sec-ctx-vol
          mountPath: /data/demo
      securityContext:
        allowPrivilegeEscalation: false

apiVersion: v1
kind: ServiceAccount
metadata:
  name: redistest-sa
automountServiceAccountToken: false
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: demoenv
  labels:
    app: redis
spec:
  selector:
    matchLabels:
      app: redis
  template:
    metadata:      
      labels:
        app: redis
    spec:
      serviceAccountName: redistest-sa
      containers:
      - name: redis
        image: redis:latest

Non-Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
  volumes:
    - name: sec-ctx-vol
      emptyDir: { }
  containers:
    - name: sec-ctx-demo
      image: busybox
      command: [ "sh", "-c", "sleep 1h" ]
      volumeMounts:
        - name: sec-ctx-vol
          mountPath: /data/demo
      securityContext:
        allowPrivilegeEscalation: false
---
apiVersion: v1
kind: Pod
metadata:
  name: security.context.demo
spec:
  automountServiceAccountToken: true
  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
  volumes:
    - name: sec-ctx-vol
      emptyDir: { }
  containers:
    - name: sec-ctx-demo
      image: busybox
      command: [ "sh", "-c", "sleep 1h" ]
      volumeMounts:
        - name: sec-ctx-vol
          mountPath: /data/demo
      securityContext:
        allowPrivilegeEscalation: false
---
apiVersion: serving.knative.dev/v1
kind: Configuration
metadata:
  name: dummy-config
  namespace: knative-sequence
spec:
  template:
    spec:
      automountServiceAccountToken: true
      securityContext:
        runAsUser: 1000
        runAsGroup: 3000
        fsGroup: 2000
      volumes:
        - name: sec-ctx-vol
          emptyDir: { }
      containers:
        - name: sec-ctx-demo
          image: busybox
          command: [ "sh", "-c", "sleep 1h" ]
          volumeMounts:
            - name: sec-ctx-vol
              mountPath: /data/demo
          securityContext:
            allowPrivilegeEscalation: false        

apiVersion: v1
kind: ServiceAccount
metadata:
  name: redistest-sa
automountServiceAccountToken: true
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: demoenv
  labels:
    app: redis
spec:
  selector:
    matchLabels:
      app: redis
  template:
    metadata:      
      labels:
        app: redis
    spec:
      serviceAccountName: redistest-sa
      containers:
      - name: redis
        image: redis:latest