lacework-global-749
Ensure that Service Account Tokens are only mounted where necessary (Automated)
Description
You should not mount Service accounts tokens in pods except where the workload running in the pod explicitly needs to communicate with the API server.
Remediation
Modify the definition of pods and service accounts which do not need to mount service account tokens to disable it.
To disable the automatic mounting of the service account token, set spec.automountServiceAccountToken
to False
.
Note: It is not possible to patch an existing pod directly, it requires the destruction and recreation with the updated configuration in place.
References
https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
https://kubernetes.io/docs/concepts/workloads/pods/#working-with-pods
https://kubernetes.io/docs/concepts/workloads/