C-0261 - ServiceAccount token mounted

Framework

security

Severity

High

Description of the the issue

Potential attacker may gain access to a workload and steal its ServiceAccount token. Therefore, it is recommended to disable automatic mapping of the ServiceAccount tokens in ServiceAccount configuration. Enable it only for workloads that need to use them and ensure that this ServiceAccount is not bound to an unnecessary ClusterRoleBinding or RoleBinding.

Related resources

ClusterRoleBinding, CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, RoleBinding, ServiceAccount, StatefulSet

What does this control test

test if ServiceAccount token is mounted on workload and it has at least one binding.

Remediation

Disable automatic mounting of service account tokens to pods at the workload level, by specifying automountServiceAccountToken: false. Enable it only for workloads that need to use them and ensure that this ServiceAccount doesn't have unnecessary permissions

Example

No example