Kubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account.
The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.
Targeted objects by this rule (types of
Complexity: easy (What does this mean?)
Policy as code identifier: CIS_INVALID_VALUE_AUTOMOUNTSERVICEACCOUNTTOKEN
This rule will fail
If a default service account does not have the
automountServiceAccountToken key set to
Rule output in the CLI
$ datree test *.yaml
>> File: failExample.yaml
❌ Ensure that default service accounts are not actively used [1 occurrence]
💡 Invalid value for key `automountServiceAccountToken` - set to `false` to ensure rights can be more easily audited
How to fix this failure
automountServiceAccountToken key and set it to