Skip to content

k8s-serviceaccount-default

Ensure that default service accounts are not actively used

By default, the default Service Account will be mounted on all pods, but it is has no permission. It is recommended to simply disable automounting it and explicitely specify a custom service account when you want your pods to talk to the Kubernetes API.

Examples

Insecure Example

apiVersion: v1
kind: ServiceAccount
metadata:
  name: default
  automountServiceAccountToken: true

Secure Example

apiVersion: v1
kind: ServiceAccount
metadata:
  name: default
  automountServiceAccountToken: false

More information