TF 0121 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Protecting Pod service account tokens
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| Vulnerability Type | misconfiguration |
Description
Pod specifications allow automatic mounting of service account tokens into containers by default, which exposes sensitive credentials unnecessarily if 'automountServiceAccountToken' is not explicitly set to false.
Impact
If exploited, attackers with access to the Pod could obtain the service account token, enabling them to interact with the Kubernetes API and potentially escalate privileges, access sensitive resources, or compromise the cluster.
Resolution
Disable the mounting of service account secret token by setting automountServiceAccountToken to false