lacework-global-749

Ensure that Service Account Tokens are only mounted where necessary (Automated)

Description

You should not mount Service accounts tokens in pods except where the workload running in the pod explicitly needs to communicate with the API server.

Remediation

Modify the definition of pods and service accounts which do not need to mount service account tokens to disable it. To disable the automatic mounting of the service account token, set spec.automountServiceAccountToken to False. Note: It is not possible to patch an existing pod directly, it requires the destruction and recreation with the updated configuration in place.

References

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
https://kubernetes.io/docs/concepts/workloads/pods/#working-with-pods
https://kubernetes.io/docs/concepts/workloads/

Ensure that Service Account Tokens are only mounted where necessary (Automated)​

Description​

Remediation​

References​

Ensure that Service Account Tokens are only mounted where necessary (Automated)

Description

Remediation

References