C-0034 - Automatic mapping of service account
Framework
WorkloadScan, security, ArmoBest, NSA, AllControls
Severity
Medium
Description of the the issue
We have it in Armo best (Automatic mapping of service account token).
Related resources
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, ServiceAccount, StatefulSet
What does this control test
Check all service accounts on which automount is not disabled. Check all workloads on which they and their service account don't disable automount
Remediation
Disable automatic mounting of service account tokens to pods either at the service account level or at the individual pod level, by specifying the automountServiceAccountToken: false. Note that pod level takes precedence.
Example
apiVersion: v1
kind: ServiceAccount
metadata:
name: build-robot
automountServiceAccountToken: false # we look for this attribute
Updated 11 days ago