Service account tokens are not mounted where necessary
Description
One way to authenticate the API is by using the Service Account token. ServiceAccount is an object managed by Kubernetes and used to provide an identity for processes that run in a pod. Every service account has a secret related to it, this secret contains a bearer token. This is a JSON Web Token (JWT), a method for representing claims securely between two parties.
This Service Account token is being used during the authentication stage and can become useful for attackers if the service account is privileged and they have access to such a token. With this token an attacker can easily impersonate the service account and use REST APIs.
Fix - Buildtime
Kubernetes
- Resource: Pod / Deployment / DaemonSet / StatefulSet / ReplicaSet / ReplicationController / Job / CronJob
- Argument: automountServiceAccountToken (Optional)
When set to false, you can opt out of automounting API credentials for a service account.
```yaml Pod
apiVersion: v1
kind: Pod
metadata:
name:
```yaml CronJob
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: <name>
spec:
schedule: <>
jobTemplate:
spec:
template:
spec:
+ automountServiceAccountToken: false
yaml Other
apiVersion: <>
kind: <kind>
metadata:
name: <name>
spec:
template:
spec:
+ automountServiceAccountToken: false