C-0034 - Automatic mapping of service account

Automatic mapping of service account


ArmoBest, NSA, AllControls, YAML-scanning



Description of the the issue

We have it in Armo best (Automatic mapping of service account token).

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, ServiceAccount, StatefulSet

What does this control test

Check all service accounts on which automount is not disabled. Check all workloads on which they and their service account don't disable automount


Disable automatic mounting of service account tokens to PODs either at the service account level or at the individual POD level, by specifying the automountServiceAccountToken: false. Note that POD level takes precedence.


apiVersion: v1
kind: ServiceAccount
  name: build-robot
automountServiceAccountToken: false # we look for this attribute