☑️ Prevent service account token auto-mounting on pods

By default, Kubernetes automatically provisions a service account when creating a Pod and mounts the account’s secret token within the Pod at runtime. Many containerized applications do not require direct access to the service account. Therefore, it is recommended to disable the secret token being mounted.

Targeted objects by this rule (types of kind): ServiceAccount / Pod

Complexity: easy (What does this mean?)

Policy as code identifier: SRVACC_INCORRECT_AUTOMOUNTSERVICEACCOUNTTOKEN_VALUE

This rule will fail

If automountServiceAccountToken is not set or set to true:

kind: ServiceAccount
automountServiceAccountToken: true

kind: Pod
spec:
  containers:
    - name: myContainer

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent service account token auto-mounting on pods [1 occurrence]
💡 Invalid value for key `automountServiceAccountToken` - must be set to `false` to prevent granting unnecessary access to the service account

How to fix this failure

Set automountServiceAccountToken to false either at the ServiceAccount level or at the individual Pod level (Pod level takes precedence):

kind: ServiceAccount
automountServiceAccountToken: false

kind: Pod
spec:
  automountServiceAccountToken: false
  containers:
    - name: myContainer

Kubernetes Hardening Guidance

This rule will fail​

Rule output in the CLI​

How to fix this failure​

Read more​

This rule will fail

Rule output in the CLI

How to fix this failure

Read more