For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-kubernetes-service-account-token-automount-not-disabled.md.
A documentation index is available at /llms.txt.
Service account tokens are mounted automatically, even when not necessary. This rule checks Kubernetes resources — kubernetes_pod, kubernetes_deployment, kubernetes_daemonset, kubernetes_job, kubernetes_stateful_set, kubernetes_replication_controller, and kubernetes_cron_job — for the automount_service_account_token attribute and requires it to be set to false. It reports a MissingAttribute when automount_service_account_token is undefined and an IncorrectValue when it is explicitly set to true; remediation is to set automount_service_account_token = false (replacement from true to false when applicable).
Compliant Code Examples
resource"kubernetes_deployment""example9"{metadata{name="terraform-example"labels={test="MyExampleApp"}}spec{replicas=3selector{match_labels={test="MyExampleApp"}}template{metadata{labels={test="MyExampleApp"}}spec{automount_service_account_token=falsecontainer{image="nginx:1.7.8"name="example"resources{limits={cpu="0.5"memory="512Mi"}requests={cpu="250m"memory="50Mi"}}liveness_probe{http_get{path="/nginx_status"port=80http_header{name="X-Custom-Header"value="Awesome"}}initial_delay_seconds=3period_seconds=3}}}}}}resource"kubernetes_daemonset""example22"{metadata{name="terraform-example"namespace="something"labels={test="MyExampleApp"}}spec{selector{match_labels={test="MyExampleApp"}}template{metadata{labels={test="MyExampleApp"}}spec{automount_service_account_token=falsecontainer{image="nginx:1.7.8"name="example"resources{limits={cpu="0.5"memory="512Mi"}requests={cpu="250m"memory="50Mi"}}liveness_probe{http_get{path="/nginx_status"port=80http_header{name="X-Custom-Header"value="Awesome"}}initial_delay_seconds=3period_seconds=3}}}}}}resource"kubernetes_cron_job""demo32"{metadata{name="demo"}spec{concurrency_policy="Replace"failed_jobs_history_limit=5schedule="1 0 * * *"starting_deadline_seconds=10successful_jobs_history_limit=10job_template{metadata{}spec{backoff_limit=2ttl_seconds_after_finished=10template{metadata{}spec{automount_service_account_token=falsecontainer{name="hello"image="busybox"command=["/bin/sh","-c","date; echo Hello from the Kubernetes cluster"]}}}}}}}resource"kubernetes_pod""test62"{metadata{name="terraform-example"}spec{automount_service_account_token=falsecontainer{image="nginx:1.7.9"name="example"env{name="environment"value="test"}port{container_port=8080}liveness_probe{http_get{path="/nginx_status"port=80http_header{name="X-Custom-Header"value="Awesome"}}initial_delay_seconds=3period_seconds=3}}dns_config{nameservers=["1.1.1.1","8.8.8.8","9.9.9.9"]searches=["example.com"]option{name="ndots"value=1}option{name="use-vc"}}dns_policy="None"}}
Non-Compliant Code Examples
resource"kubernetes_deployment""example"{metadata{name="terraform-example"labels={test="MyExampleApp"}}spec{replicas=3selector{match_labels={test="MyExampleApp"}}template{metadata{labels={test="MyExampleApp"}}spec{container{image="nginx:1.7.8"name="example"resources{limits={cpu="0.5"memory="512Mi"}requests={cpu="250m"memory="50Mi"}}liveness_probe{http_get{path="/nginx_status"port=80http_header{name="X-Custom-Header"value="Awesome"}}initial_delay_seconds=3period_seconds=3}}}}}}resource"kubernetes_daemonset""example2"{metadata{name="terraform-example"namespace="something"labels={test="MyExampleApp"}}spec{selector{match_labels={test="MyExampleApp"}}template{metadata{labels={test="MyExampleApp"}}spec{automount_service_account_token=truecontainer{image="nginx:1.7.8"name="example"resources{limits={cpu="0.5"memory="512Mi"}requests={cpu="250m"memory="50Mi"}}liveness_probe{http_get{path="/nginx_status"port=80http_header{name="X-Custom-Header"value="Awesome"}}initial_delay_seconds=3period_seconds=3}}}}}}resource"kubernetes_cron_job""demo3"{metadata{name="demo"}spec{concurrency_policy="Replace"failed_jobs_history_limit=5schedule="1 0 * * *"starting_deadline_seconds=10successful_jobs_history_limit=10job_template{metadata{}spec{backoff_limit=2ttl_seconds_after_finished=10template{metadata{}spec{automount_service_account_token=truecontainer{name="hello"image="busybox"command=["/bin/sh","-c","date; echo Hello from the Kubernetes cluster"]}}}}}}}resource"kubernetes_pod""test6"{metadata{name="terraform-example"}spec{container{image="nginx:1.7.9"name="example"env{name="environment"value="test"}port{container_port=8080}liveness_probe{http_get{path="/nginx_status"port=80http_header{name="X-Custom-Header"value="Awesome"}}initial_delay_seconds=3period_seconds=3}}dns_config{nameservers=["1.1.1.1","8.8.8.8","9.9.9.9"]searches=["example.com"]option{name="ndots"value=1}option{name="use-vc"}}dns_policy="None"}}
1
2
rulesets:- Terraform / Kubernetes # Rules to enforce / Kubernetes.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
