fix(security): disable automatic mounting of service account tokens #45056
+9
−9
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…r and webserver fix(security): disable automatic mounting of service account tokens to enhance pod security
gsingh935
requested review from
dstandish,
jedcunningham and
hussein-awala
as code owners
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Setting automountServiceAccountToken: true in a Kubernetes Pod's specification ensures that the pod automatically mounts a service account token, granting it access to the Kubernetes API. While this is necessary for applications that interact with the API, enabling this feature indiscriminately can introduce several security risks:
Excessive Permissions: By default, the mounted service account token may have broader permissions than the pod requires. If an attacker compromises the pod, they could exploit these permissions to perform unauthorized actions within the cluster.
Privilege Escalation: A compromised pod with an automatically mounted service account token can interact with the Kubernetes API, potentially allowing an attacker to escalate privileges and gain control over additional cluster resources.
Increased Attack Surface: Mounting the service account token into a pod's filesystem increases the pod's attack surface, making it more susceptible to security breaches.
Best Practices:
Disable Automatic Mounting : Set automountServiceAccountToken: false for pods that do not require interaction with the Kubernetes API. This minimizes the risk by ensuring that only pods needing API access have the token mounted.