Detections
Analytics
Ensure that Service Account Tokens are only mounted where necessary
MEDIUM
Description
Description:
Service accounts tokens should not be mounted in pods except where the workload running in the pod explicitly needs to communicate with the API server
Rationale:
Mounting service account tokens inside pods can provide an avenue for privilege escalation attacks where an attacker is able to compromise a single pod in the cluster.
Avoiding mounting these tokens removes this attack avenue.
Pods mounted without service account tokens will not be able to communicate with the API server, except where the resource is available to unauthenticated principals.
Remediation
Modify the definition of pods and service accounts which do not need to mount service account tokens to disable it.
Policy Details
Rule Reference ID: AC_K8S_0045
CSP: Kubernetes
Remediation Available: No
Domain: Identity and Access Management
Resource: kubernetes_pod
Resource Category: Compute
Resource Type: Pod
Frameworks
GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0
CIS Kubernetes v1.6.1 Level 1 - Master Node
CIS Amazon Elastic Kubernetes Service (EKS) v1.1.0 Level 1
CIS Amazon Elastic Kubernetes Service (EKS) v1.3.0 Level 2
CIS Azure Kubernetes Service (AKS) v1.1.0 Level 1
CIS Azure Kubernetes Service (AKS) v1.3.0 Level 1
NSA CISA Kubernetes Hardening Guide 1.0
CIS Google Kubernetes Engine (GKE) v1.2.0 Level 1 - Master Node
CIS Google Kubernetes Engine (GKE) v1.4.0 Level 1
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0
CIS Kubernetes v1.6.1 Level 1 - Master Node
CIS Amazon Elastic Kubernetes Service (EKS) v1.1.0 Level 1
CIS Amazon Elastic Kubernetes Service (EKS) v1.3.0 Level 2
CIS Azure Kubernetes Service (AKS) v1.1.0 Level 1
CIS Azure Kubernetes Service (AKS) v1.3.0 Level 1
NSA CISA Kubernetes Hardening Guide 1.0
CIS Google Kubernetes Engine (GKE) v1.2.0 Level 1 - Master Node
CIS Google Kubernetes Engine (GKE) v1.4.0 Level 1