C-0261 - ServiceAccount token mounted
Framework
security
Severity
High
Description of the the issue
Potential attacker may gain access to a workload and steal its ServiceAccount token. Therefore, it is recommended to disable automatic mapping of the ServiceAccount tokens in ServiceAccount configuration. Enable it only for workloads that need to use them and ensure that this ServiceAccount is not bound to an unnecessary ClusterRoleBinding or RoleBinding.
Related resources
ClusterRoleBinding, CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, RoleBinding, ServiceAccount, StatefulSet
What does this control test
test if ServiceAccount token is mounted on workload and it has at least one binding.
Remediation
Disable automatic mounting of service account tokens to pods at the workload level, by specifying automountServiceAccountToken: false. Enable it only for workloads that need to use them and ensure that this ServiceAccount doesn't have unnecessary permissions
Example
No example
Updated about 1 month ago