Service account tokens are not mounted where necessary
Description
One way to authenticate the API is by using the Service Account token. ServiceAccount is an object managed by Kubernetes and used to provide an identity for processes that run in a pod. Every service account has a secret related to it, this secret contains a bearer token. This is a JSON Web Token (JWT), a method for representing claims securely between two parties. This Service Account token is being used during the authentication stage and can become useful for attackers if the service account is privileged and they have access to such a token. With this token an attacker can easily impersonate the service account and use REST APIs.
Code Example
pod
apiVersion: v1
kind: Pod
metadata:
name: <name>
spec:
+ automountServiceAccountToken: falseRemediation
Kubernetes
- Resource: Pod / Deployment / DaemonSet / StatefulSet / ReplicaSet / ReplicationController / Job / CronJob
- Arguments: automountServiceAccountToken (Optional) When set to false, you can opt out of automating API credentials for a service account.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1116 |
| Severity | LOW |
| IaC Type | Kubernetes |
| Frameworks | Kubernetes, |
| Checkov ID | CKV_K8S_38 |