C-0034 - Automatic mapping of service account
Automatic mapping of service account
ArmoBest, NSA, AllControls
Description of the the issue
We have it in Armo best (Automatic mapping of service account token).
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, ServiceAccount, StatefulSet
What does this control test
Check all service accounts on which automount is not disabled. Check all workloads on which they and their service account don't disable automount
Disable automatic mounting of service account tokens to PODs either at the service account level or at the individual POD level, by specifying the automountServiceAccountToken: false. Note that POD level takes precedence.
apiVersion: v1 kind: ServiceAccount metadata: name: build-robot automountServiceAccountToken: false # we look for this attribute
Updated 2 days ago