Profile Applicability:
 • Level 1

Description:
 Ensure that service account tokens are only mounted in pods where explicitly required for communication with the Kubernetes API server.

Rationale:
 Service account tokens mounted inside pods provide the pod with credentials to interact with the Kubernetes API. However, these tokens can be leveraged for privilege escalation attacks if a pod is compromised. Limiting the mounting of these tokens to only the pods that need to communicate with the API server helps reduce the attack surface and minimizes the risk of exploitation.

Impact:
 Pros:

  • Reduces the risk of privilege escalation in case of pod compromise.

  • Minimizes the attack surface for workloads running in the cluster.

  • Provides better security control by restricting unnecessary API server access.

Cons:

  • Pods that require API server access will need an explicit service account token, which may require additional configuration.

Default Value:
 By default, all pods automatically have a service account token mounted within them unless explicitly disabled.

Pre-requisites:

  • Access to the Kubernetes cluster with sufficient privileges to modify pod and service account configurations.

  • Knowledge of workloads requiring access to the Kubernetes API.

Remediation

Test Plan:

Using AWS Console:

  1. Review the service account and pod configurations in the cluster 

  1. Ensure that for service accounts and pods that do not need to interact with the API server, the automountServiceAccountToken setting is set to false.

  2. Review all pod definitions and ensure that they do not have unnecessary service account tokens mounted by default.

Using AWS CLI:

  1. Get the list of service accounts and check their automountServiceAccountToken settings:

    kubectl get serviceaccounts --all-namespaces -o yaml

  1. Review the settings for each service account and ensure that automountServiceAccountToken: false is configured for service accounts that do not need API server access.

  2. Get the list of pods and check if service account tokens are being automatically mounted.

Implementation Plan

Using AWS Console:

  1. Review the service account and pod configurations for workloads that do not need API server access.

  2. For each service account or pod that does not require access, patch the service account to disable the automatic mounting of its token:

  1. Ensure that only service accounts with explicit API server requirements have their tokens mounted.

Using AWS CLI:

  1. Use kubectl patch to modify the service account configuration for each service account that should not automatically mount its token:

    kubectl patch serviceaccount [service-account-name] -n [namespace] -p $'automountServiceAccountToken: false'

  1. Ensure that pods requiring access to the API server explicitly reference the service account and have the necessary token mounted.

Backout Plan

Using AWS Console:

  1. If removing service account tokens causes issues with pods that require API access, revert the configuration by setting automountServiceAccountToken: true for those service accounts or pods.

  2. Restore any roles or bindings for service accounts that lost access to the Kubernetes API.

Using AWS CLI:

  1. Revert the automountServiceAccountToken setting to true for any service accounts or pods that require access to the API server.

  2. Restore necessary configurations to ensure critical workloads have the required access.

References:

  1. Kubernetes Service Account Documentation

  2. AWS EKS Best Practices - Disable Auto-mounting of Service Account Tokens