Skip to content

Service account tokens are not mounted where necessary


One way to authenticate the API is by using the Service Account token. ServiceAccount is an object managed by Kubernetes and used to provide an identity for processes that run in a pod. Every service account has a secret related to it, this secret contains a bearer token. This is a JSON Web Token (JWT), a method for representing claims securely between two parties.

This Service Account token is being used during the authentication stage and can become useful for attackers if the service account is privileged and they have access to such a token. With this token an attacker can easily impersonate the service account and use REST APIs.

Fix - Buildtime


  • Resource: Pod / Deployment / DaemonSet / StatefulSet / ReplicaSet / ReplicationController / Job / CronJob
  • Argument: automountServiceAccountToken (Optional)
    When set to false, you can opt out of automounting API credentials for a service account.

```yaml Pod apiVersion: v1 kind: Pod metadata: name: spec: + automountServiceAccountToken: false

```yaml CronJob
apiVersion: batch/v1beta1
kind: CronJob
  name: <name>
  schedule: <>
+           automountServiceAccountToken: false

yaml Other apiVersion: <> kind: <kind> metadata: name: <name> spec: template: spec: + automountServiceAccountToken: false