Set automountServiceAccountToken to false for this specification of kind Deployment.
Service account tokens are Kubernetes secrets created automatically to authenticate applications running inside pods to the API server. If a pod is compromised, an attacker could use this token to access other resources in the cluster.
For example, they could create new pods, modify existing ones, or even delete critical system pods, depending on the permissions associated with the service account.
Therefore, it’s recommended to disable the automounting of service account tokens when it’s not necessary for the application running in the pod.
Noncompliant code example
apiVersion: v1 kind: Pod metadata: name: example-pod spec: # Noncompliant containers: - name: example-pod image: nginx:1.25.3
Compliant Solution
apiVersion: v1 kind: Pod metadata: name: example-pod spec: containers: - name: example-pod image: nginx:1.25.3 automountServiceAccountToken: false
If your application needs to access K8S API, You don’t need to use it.
If you still use it, you will encounter the issue:
level=error msg="open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory"