Profile Applicability:

  • Level 1

Description:
 Kubernetes automatically mounts service account tokens into containers in the form of environment variables or volumes. This check ensures that service account tokens are only mounted when necessary, limiting exposure to sensitive information and reducing the risk of unauthorized access.

Rationale:
 Service account tokens allow applications inside containers to interact with the Kubernetes API, and if misused or exposed, they can be leveraged to escalate privileges or gain unauthorized access to the cluster. By restricting the automatic mounting of service account tokens, the risk of unauthorized access is minimized, and you reduce the attack surface.

Impact:

Pros:

  • Reduces the risk of unauthorized access to the Kubernetes API by limiting the exposure of service account tokens.

  • Ensures that only the containers that need to interact with the Kubernetes API are provided with tokens.

Cons:

  • Some workloads, such as controllers or monitoring tools, may require service account tokens to authenticate and access the Kubernetes API.

  • Requires careful configuration to ensure that tokens are only mounted where necessary.

Default Value:
 By default, Kubernetes automatically mounts a service account token in all containers unless explicitly disabled via the automountServiceAccountToken option in the pod's configuration.

Pre-requisites:
 Ensure that RBAC (Role-Based Access Control) and PodSecurityPolicies (or an equivalent admission control mechanism) are configured to manage service account token mounting.

Test Plan:

Using Azure Console:

  1. Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.

  2. Review the Pod specifications and verify that service account tokens are only mounted in containers that require access to the Kubernetes API.

  3. Ensure that the automountServiceAccountToken setting is explicitly set to false for pods that do not require access to Kubernetes API resources.

Using Azure CLI:

Use the following command to list all pods and check if service account tokens are automatically mounted:

kubectl get pods --all-namespaces -o=jsonpath='{.items[*].spec.automountServiceAccountToken}'

Ensure that automountServiceAccountToken is set to false for pods that do not require a service account token.

Check the Pod specifications to ensure that only containers needing Kubernetes API access have tokens mounted:

kubectl get pods --all-namespaces -o=jsonpath='{.items[*].spec.volumes[?(@.secret.secretName=="default-token")]}'

Implementation Plan:

Using Azure Console:

  1. In the Azure portal, go to your AKS cluster and access the Pod specifications

Disable the automatic mounting of service account tokens for pods that do not need access to the Kubernetes API by setting automountServiceAccountToken: false in the pod's spec:

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  automountServiceAccountToken: false
  containers:
    - name: my-container
      image: my-image

  1. For workloads that require service account tokens, ensure the pod definition explicitly sets automountServiceAccountToken: true or omits it, as the default is true for necessary workloads.

  2. Apply this configuration to all pods, ensuring that only the required workloads have access to service account tokens.

Using Azure CLI:

To disable the automatic mounting of service account tokens for a pod, add the following to the Pod specification:

automountServiceAccountToken: false

Apply the updated Pod configuration:

 kubectl apply -f pod-spec.yaml

To ensure service account tokens are only mounted where needed, edit the Pod specifications for the containers that require Kubernetes API access to explicitly mount the service account token:

automountServiceAccountToken: true

Apply the configuration for all required pods using:

 kubectl apply -f pod-spec.yaml

Backout Plan:

Using Azure Console:

  1. If restricting service account token mounting causes issues with legitimate workloads, revert the changes in the Azure portal by re-enabling token mounting for specific pods.

Using Azure CLI:

Revert the Pod specification by removing or enabling automountServiceAccountToken where necessary:

automountServiceAccountToken: true

Apply the reverted configuration:

 kubectl apply -f pod-spec.yaml

If necessary, modify RBAC settings to allow the appropriate access to service account tokens.

References:

  1. Kubernetes Service Account Documentation

  2. Azure Kubernetes Service (AKS) Best Practices
    Kubernetes Pod Security Context Documentation