lacework-global-826

Ensure that default service accounts are not automatically mounting their Kubernetes API access token (Automated)

Description

The default service account automatically mounts its service account token within each container of a pod in the namespace where it resides. This account token provides the pod the ability to interact with the Kubernetes API server. This is open to abuse by an attacker with access to just a single container, including privilege escalation through mounting of the node root volume.

Remediation

Modify the configuration of each default service account to include this value:

automountServiceAccountToken: false

If using kubectl you can do this with a single command for a given namespace:

kubectl patch serviceaccount default --namespace=namespace -p $'automountServiceAccountToken: false'

References

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting
https://aws.github.io/aws-eks-best-practices/security/docs/iam/#disable-auto-mounting-of-service-account-tokens

Ensure that default service accounts are not automatically mounting their Kubernetes API access token (Automated)​

Description​

Remediation​

References​

Ensure that default service accounts are not automatically mounting their Kubernetes API access token (Automated)

Description

Remediation

References