Disable Automount SA Token

Description

A new ServiceAccount called default is created whenever a new Namespace is created. Pods spawned in that Namespace, unless otherwise set, will be assigned this ServiceAccount. This policy mutates any new default ServiceAccounts to disable auto-mounting of the token into Pods obviating the need to do so individually.

Risks

In Kubernetes, there are two key security layers: authentication and authorization (authz). Authentication ensures that the pod or user is who they claim to be, while authorization determines what actions they’re allowed to perform. When a pod is created, it automatically mounts a service account token, which allows it to interact with the Kubernetes API server for authentication purposes. However, by default, the pod doesn’t have permission (via authorization) to do much with that access.

The problem arises when an attacker gains control of a pod. Even though the attacker might not have initial permissions (due to the security of the authz layer), if they manage to bypass authorization, they can exploit the service account token to escalate privileges and perform unauthorized actions across the cluster. For example, an attacker could perform API requests like creating or deleting pods.

Kyverno Policy

Refer to the Nirmata curated policies - disable-automount-sa-token.

Resource Example

Below is an example of a ServiceAccount resource enforcing this policy where automountServiceAccountToken is set to false.

apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: false
metadata:
  name: default
  namespace: disable-satokenmount-ns