Profile Applicability:

  • Level 1

Description:
 Service account tokens are mounted by default in Kubernetes pods and used by applications within the pod to interact with the Kubernetes API. However, tokens should only be mounted into pods where necessary. This check ensures that tokens are not mounted in every pod, limiting the risk of accidental exposure and minimizing the attack surface.

Rationale:
 Mounting service account tokens into pods that do not require them can lead to security risks, especially if an attacker gains access to the pod and is able to use the token for malicious actions. Service account tokens should be mounted only in pods where API access is required.

Impact:

  • Pros:

    • Reduces the attack surface by limiting unnecessary access to the Kubernetes API.

    • Minimizes the risk of leaking service account tokens in insecure pods.

  • Cons:

    • Additional configuration effort to ensure that tokens are only mounted in pods where required.

    • Might require reviewing and updating deployment configurations for existing workloads.

Default Value:
 By default, Kubernetes mounts service account tokens into every pod, but this behavior can be controlled using the automountServiceAccountToken setting in pod specs.

Pre-requisites:
 Ensure that the automountServiceAccountToken option is properly configured in the pod spec and that Kubernetes RBAC is properly set up to enforce token access only where necessary.

Remediation

Test Plan:

Using Azure Console:

  1. Review the deployment and pod specifications to check for the automountServiceAccountToken setting.

  2. Ensure that the automountServiceAccountToken field is set to false for pods that do not need service account token access.

Using Azure CLI:

  1. List all pods and check if the service account token is being mounted:

     kubectl get pods --all-namespaces -o=jsonpath='{.items[*].spec.automountServiceAccountToken}'

  2. Ensure that the output shows false for pods where the service account token is not required.

Implementation Plan:

Using Azure Console:

  1. Access the pod or deployment specifications in the console.

  2. Modify the automountServiceAccountToken setting to false for pods that do not require the service account token.

Using Azure CLI:

  1. Update the pod or deployment spec to disable the automatic mounting of the service account token by setting automountServiceAccountToken: false in the pod specification:

     kubectl edit deployment <deployment-name> --namespace=<namespace>

  2. Add the following setting under the spec section for the pods that do not need the service account token:

    automountServiceAccountToken: fals


Backoutplan:

Using Azure Console:

  1. If disabling the token mounting causes issues with API access, revert the configuration and set automountServiceAccountToken back to true for the affected pods.

Using Azure CLI:

  1. Revert the change by editing the deployment or pod spec to enable the automatic mounting of the service account token:

     kubectl edit deployment <deployment-name> --namespace=<namespace>

  2. Set automountServiceAccountToken to true.

References:

  1. Kubernetes Service Account Token Documentation