Protecting Pod service account tokens
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Vulnerability Type | misconfiguration |
Description#
Pod specifications allow automatic mounting of service account tokens into containers by default, which exposes sensitive credentials unnecessarily if ‘automountServiceAccountToken’ is not explicitly set to false.
Impact#
If exploited, attackers with access to the Pod could obtain the service account token, enabling them to interact with the Kubernetes API and potentially escalate privileges, access sensitive resources, or compromise the cluster.
Resolution#
Disable the mounting of service account secret token by setting automountServiceAccountToken to false