[Kubernetes] How to Protect Your K8S.

Posted on By nim No Comments on [Kubernetes] How to Protect Your K8S.

Set automountServiceAccountToken to false for this specification of kind Deployment.

Service account tokens are Kubernetes secrets created automatically to authenticate applications running inside pods to the API server. If a pod is compromised, an attacker could use this token to access other resources in the cluster.

For example, they could create new pods, modify existing ones, or even delete critical system pods, depending on the permissions associated with the service account.

Therefore, it’s recommended to disable the automounting of service account tokens when it’s not necessary for the application running in the pod.

Noncompliant code example

apiVersion: v1
kind: Pod
metadata:
  name: example-pod
spec: # Noncompliant
  containers:
  - name: example-pod
    image: nginx:1.25.3

Compliant Solution

apiVersion: v1
kind: Pod
metadata:
  name: example-pod
spec:
  containers:
  - name: example-pod
    image: nginx:1.25.3
  automountServiceAccountToken: false

If your application needs to access K8S API, You don’t need to use it.
If you still use it, you will encounter the issue:

level=error msg="open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory"
Kubernetes

More Related Articles

[Cilium] Cilium Pods crash when upgraded to K8S 1.30 Kubernetes
[Kubernetes] Security in Kubernetes Deployments Kubernetes
[Tetragon] Security Observability and Runtime Enforcement Kubernetes
[coroot] Metrics, logs, and traces by Coroot Kubernetes
[K8s] Signals and the “kubectl delete” command Kubernetes
[Synthetic Test] Create a Status Page for your product easily. Coding

Leave a Reply

Your email address will not be published. Required fields are marked *