k8s-serviceaccount-default¶
Ensure that default service accounts are not actively used
By default, the default Service Account will be mounted on all pods, but it is has no permission. It is recommended to simply disable automounting it and explicitely specify a custom service account when you want your pods to talk to the Kubernetes API.
Examples¶
Insecure Example
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
automountServiceAccountToken: true
Secure Example
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
automountServiceAccountToken: false