Service account tokens are only mounted where necessary
Set up the kubernetes integration.
Description
Service accounts tokens should not be mounted in pods except where the workload running in the pod explicitly needs to communicate with the API server.
Rationale
Mounting service account tokens inside pods can provide an avenue for privilege escalation attacks where an attacker is able to compromise a single pod in the cluster. Avoiding mounting these tokens removes this attack avenue.
Audit
Review pod and service account objects in the cluster and ensure that the option below is set, unless the resource explicitly requires automountServiceAccountToken: false.
Modify the definition of pods and service accounts which do not need to mount service account tokens to disable it.
Impact
Pods mounted without service account tokens will not be able to communicate with the API server, except where the resource is available to unauthenticated principals.
Default value
By default, all pods get a service account token mounted in them.
References
- https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
CIS controls
Version 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.
