C-0034 - Automatic mapping of service account

Framework

WorkloadScan, security, ArmoBest, NSA, AllControls

Severity

Medium

Description of the the issue

We have it in Armo best (Automatic mapping of service account token).

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, ServiceAccount, StatefulSet

What does this control test

Check all service accounts on which automount is not disabled. Check all workloads on which they and their service account don't disable automount

Remediation

Disable automatic mounting of service account tokens to pods either at the service account level or at the individual pod level, by specifying the automountServiceAccountToken: false. Note that pod level takes precedence.

Example

apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-robot
automountServiceAccountToken: false # we look for this attribute