Profile Applicability:

  • Level 1

Description:
 Service accounts in Kubernetes are used to provide an identity for processes running in pods. By default, Kubernetes automatically creates a service account token and mounts it into each pod. This check ensures that access to service account token creation is minimized to only trusted workloads and that tokens are not automatically created or mounted unless required for specific use cases.

Rationale:
 Allowing unnecessary or unrestricted creation of service account tokens can pose security risks, as the tokens can be used to authenticate as the service account, potentially granting unauthorized access to Kubernetes resources. By minimizing the creation of service account tokens, we can ensure better control over which pods and workloads can authenticate as service accounts, reducing the attack surface.

Impact:

Pros:

  • Reduces the risk of unauthorized access to Kubernetes resources by limiting the exposure of service account tokens.

  • Enforces better security hygiene by ensuring that only necessary workloads have service account tokens mounted.

Cons:

  • Some workloads may require service account tokens to interact with the Kubernetes API or other services.

  • Requires careful configuration to ensure that legitimate workloads can still access the necessary tokens.

Default Value:
 By default, Kubernetes automatically creates and mounts a service account token into each pod, unless explicitly disabled.

Pre-requisites:
 Ensure that RBAC (Role-Based Access Control) is configured to restrict access to service account tokens, and that PodSecurityPolicies (PSPs) or equivalent admission controllers are in place to enforce this policy.

Test Plan:

Using Azure Console:

  1. Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.

  2. Review the Pod specifications to ensure that service account tokens are not mounted unless absolutely necessary.

  3. Ensure that RBAC and PodSecurityPolicies (or equivalent security mechanisms) are configured to restrict unnecessary service account token creation and mounting.

Using Azure CLI:

  1. Use the following command to check for service account tokens mounted in pod specifications:

     kubectl get pods --all-namespaces -o=jsonpath='{.items[*].spec.volumes[*].serviceAccountToken}'

    Ensure that service account tokens are only mounted where explicitly required for workload functionality.

  2. Check for RBAC policies to ensure that only trusted service accounts can create or access service account tokens

     kubectl get rolebindings --all-namespaces

Implementation Plan:

Using Azure Console:

  1. In the Azure portal, navigate to Kubernetes Services and access the Pod specifications.

Modify the Pod security context to prevent unnecessary service account token creation by disabling the automatic mounting of service account tokens:

automountServiceAccountToken: false

  1. Ensure that PodSecurityPolicies or equivalent controls are in place to restrict the automatic creation and mounting of service account tokens for non-trusted workloads.

  2. Apply RBAC policies to restrict which users or service accounts have the permission to create or manage service account tokens.

Using Azure CLI:

To disable automountServiceAccountToken, add the following to the Pod specification:

automountServiceAccountToken: false

Apply the updated Pod configuration:

 kubectl apply -f pod-spec.yaml

To restrict the RBAC permissions for service account token creation, create an RBAC policy that limits the creation of service account tokens:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: <namespace-name>
  name: restrict-token-creation
rules:
- apiGroups: [""]
  resources: ["serviceaccounttokens"]
  verbs: ["get", "list"]

Apply the RBAC policy:

 kubectl apply -f rbac-policy.yaml

Backout Plan:

Using Azure Console:

  1. If restricting the service account token creation causes issues with workloads, revert the changes in the Azure portal by re-enabling token mounting for the necessary workloads.

Using Azure CLI:

Revert the Pod specification to enable the service account token creation by modifying the YAML configuration:

automountServiceAccountToken: true

Apply the reverted configuration:

 kubectl apply -f pod-spec.yaml

Revert any RBAC changes by deleting the policy with:

 kubectl delete role <role-name> --namespace=<namespace-name>

References:

  1. Kubernetes Service Account Documentation

  2. Azure Kubernetes Service (AKS) Best Practices