v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/kubernetes_compliance
Overview
4Dashboards
790Controls
781Queries
2Variables
GitHub

Control: 5.1.6 Ensure that Service Account Tokens are only mounted where necessary

Description

Service accounts tokens should not be mounted in pods except where the workload running in the pod explicitly needs to communicate with the API server.

Mounting service account tokens inside pods can provide an avenue for privilege escalation attacks where an attacker is able to compromise a single pod in the cluster.

Avoiding mounting these tokens removes this attack avenue.

Remediation

Modify the definition of pods and service accounts which do not need to mount service account tokens to disable it.

Default Value: By default, all pods get a service account token mounted in them.

Usage

Run the control in your terminal:

powerpipe control run kubernetes_compliance.control.cis_v170_5_1_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run kubernetes_compliance.control.cis_v170_5_1_6 --share

SQL

This control uses a named query:

pod_service_account_token_disabled

Tags

category = Compliance
cis = true
cis_item_id = 5.1.6
cis_level = 1
cis_section_id = 5.1
cis_type = manual
cis_version = v1.7.0
kubernetes_version = v1.25
plugin = kubernetes
service = Kubernetes/Pod