Service Account Token Automount Not Disabled
- Query id: 48471392-d4d0-47c0-b135-cdec95eb3eef
- Query name: Service Account Token Automount Not Disabled
- Platform: Kubernetes
- Severity: Medium
- Category: Insecure Defaults
- CWE: 665
- URL: Github
Description¶
Service Account Tokens are automatically mounted even if not necessary
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
volumes:
- name: sec-ctx-vol
emptyDir: { }
containers:
- name: sec-ctx-demo
image: busybox
command: [ "sh", "-c", "sleep 1h" ]
volumeMounts:
- name: sec-ctx-vol
mountPath: /data/demo
securityContext:
allowPrivilegeEscalation: false
---
apiVersion: v1
kind: Pod
metadata:
name: security.context.demo
spec:
automountServiceAccountToken: true
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
volumes:
- name: sec-ctx-vol
emptyDir: { }
containers:
- name: sec-ctx-demo
image: busybox
command: [ "sh", "-c", "sleep 1h" ]
volumeMounts:
- name: sec-ctx-vol
mountPath: /data/demo
securityContext:
allowPrivilegeEscalation: false
---
apiVersion: serving.knative.dev/v1
kind: Configuration
metadata:
name: dummy-config
namespace: knative-sequence
spec:
template:
spec:
automountServiceAccountToken: true
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
volumes:
- name: sec-ctx-vol
emptyDir: { }
containers:
- name: sec-ctx-demo
image: busybox
command: [ "sh", "-c", "sleep 1h" ]
volumeMounts:
- name: sec-ctx-vol
mountPath: /data/demo
securityContext:
allowPrivilegeEscalation: false
Positive test num. 2 - yaml file
apiVersion: v1
kind: ServiceAccount
metadata:
name: redistest-sa
automountServiceAccountToken: true
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: demoenv
labels:
app: redis
spec:
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
spec:
serviceAccountName: redistest-sa
containers:
- name: redis
image: redis:latest
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
automountServiceAccountToken: false
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
volumes:
- name: sec-ctx-vol
emptyDir: { }
containers:
- name: sec-ctx-demo
image: busybox
command: [ "sh", "-c", "sleep 1h" ]
volumeMounts:
- name: sec-ctx-vol
mountPath: /data/demo
securityContext:
allowPrivilegeEscalation: false
Negative test num. 2 - yaml file
apiVersion: v1
kind: ServiceAccount
metadata:
name: redistest-sa
automountServiceAccountToken: false
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: demoenv
labels:
app: redis
spec:
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
spec:
serviceAccountName: redistest-sa
containers:
- name: redis
image: redis:latest