ArmoBest, NSA, YAML-scanning, AllControls
We have it in Armo best (Automatic mapping of service account token).
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, Serviceaccount, StatefulSet
Check all service accounts on which automount is not disabled. Check all workloads on which they and their service account don't disable automount
Disable automatic mounting of service account tokens to PODs either at the service account level or at the individual POD level, by specifying the automountServiceAccountToken: false. Note that POD level takes precedence.
apiVersion: v1 kind: ServiceAccount metadata: name: build-robot automountServiceAccountToken: false # we look for this attribute
Updated about 2 months ago