Restrict Automounting of Service Account Tokens

An XCCDF Rule

Details
Profiles

Description

Service accounts tokens should not be mounted in pods except where the workload running in the pod explicitly needs to communicate with the API server. To ensure pods do not automatically mount tokens, set automountServiceAccountToken to false.

Rationale

Mounting service account tokens inside pods can provide an avenue for privilege escalation attacks where an attacker is able to compromise a single pod in the cluster.

ID: xccdf_org.ssgproject.content_rule_accounts_restrict_service_account_tokens
Severity: Medium
References: CIP-003-8 R6 CIP-004-6 R3 CIP-007-3 R6.1

CM-6 CM-6(1)

Req-2.2

5.1.6

SRG-APP-000516-CTR-001325

APP.4.4.A9

2.2 2.2.1
Updated: over 1 year ago