Service account tokens are Kubernetes secrets created automatically to authenticate applications running inside pods to the API server. If a pod is compromised, an attacker could use this token to gain access to other resources in the cluster.
For example, they could create new pods, modify existing ones, or even delete critical system pods, depending on the permissions associated with the service account.
Therefore, it’s recommended to disable the automounting of service account tokens when it’s not necessary for the application running in the pod.
If a pod with a mounted service account gets compromised, an attacker could potentially use the token to interact with the Kubernetes API, possibly leading to unauthorized access to other resources in the cluster.
Service account tokens are often bound with roles that have extensive permissions. If these tokens are exposed, it could lead to privilege escalation where an attacker gains higher-level permissions than intended.
Service account tokens can be used to access sensitive data stored in the Kubernetes cluster. If these tokens are compromised, it could lead to a data breach.
An attacker with access to a service account token could potentially overload the Kubernetes API server by sending a large number of requests, leading to a Denial of Service (DoS) attack.
apiVersion: v1
kind: Pod
metadata:
name: example-pod
spec: # Noncompliant
containers:
- name: example-pod
image: nginx:1.25.3
apiVersion: v1
kind: Pod
metadata:
name: example-pod
spec:
containers:
- name: example-pod
image: nginx:1.25.3
automountServiceAccountToken: false
The automounting of service account tokens can be disabled by setting automountServiceAccountToken: false in the pod’s specification.
Additionally, it can be disabled in the configuration of an accompanied service account.