Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Restrict Service Account Token Mounting

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that service account tokens are only mounted in pods where the workload explicitly requires communication with the Kubernetes API server. Setting automountServiceAccountToken to false on the pod specification is the recommended secure state.

Security

Mounting service account tokens in a pod enables privilege escalation if the pod is compromised. Disabling token auto-mounting removes this potential attack vector and enhance security.

Audit

To determine if service account tokens are only mounted where necessary, perform the following operations:

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run ce cluster list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each OCI Kubernetes Engine (OKE) cluster available in the selected OCI compartment:

    oci ce cluster list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested OKE cluster IDs:

    [
	"ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.cluster.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run ce cluster create-kubeconfig command (Windows/macOS/Linux) with the ID of the OCI Kubernetes Engine (OKE) cluster that you want to access as the identifier parameter, to generate and configure the Kubernetes configuration file (kubeconfig) that the kubectl tool needs to securely communicate with and manage the selected OKE cluster:

    oci ce cluster create-kubeconfig
	--cluster-id 'ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--file $HOME/.kube/config
	--kube-endpoint PUBLIC_ENDPOINT
	--region 'ap-sydney-1'
	--token-version 2.0.0

  6. The command output should return the path to the new Kubeconfig file:

    New config written to the Kubeconfig file /home/user/.kube/config

  7. Run the kubectl get sa command to list all service accounts that are missing the automountServiceAccountToken: false setting:

    kubectl get sa --all-namespaces -o custom-columns=NAMESPACE:.metadata.namespace,NAME:.metadata.name,AUTOMOUNT_TOKEN:.automountServiceAccountToken | grep -v 'false'

  8. The command output should return the namespace and name of any service account that is currently auto-mounting tokens (i.e., not secure by default):

    NAMESPACE         NAME              AUTOMOUNT_TOKEN
staging           project5-sa       true
prod              build-sa          true

  9. Run the kubectl get pods command to list Pods that are explicitly configured to auto-mount their service account token:

    kubectl get pods --all-namespaces -o custom-columns=NAMESPACE:.metadata.namespace,NAME:.metadata.name,AUTOMOUNT_TOKEN:.spec.automountServiceAccountToken | grep 'true'

  10. If the command output returns true for AUTOMOUNT_TOKEN, the Pod is explicitly configured to mount the service account token, which is non-compliant with the security best practice of restricting token access:

    NAMESPACE            NAME                           AUTOMOUNT_TOKEN
prod                 user-auth-deployment-1234      true
staging              jenkins-worker-abcd            true

Remediation / Resolution

To ensure the service account tokens are only mounted where strictly necessary, perform the following actions:

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run ce cluster list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each OCI Kubernetes Engine (OKE) cluster available in the selected OCI compartment:

    oci ce cluster list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested OKE cluster IDs:

    [
	"ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.cluster.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run ce cluster create-kubeconfig command (Windows/macOS/Linux) with the ID of the OCI Kubernetes Engine (OKE) cluster that you want to access as the identifier parameter, to generate and configure the Kubernetes configuration file (kubeconfig) that the kubectl tool needs to securely communicate with and manage the selected OKE cluster:

    oci ce cluster create-kubeconfig
	--cluster-id 'ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--file $HOME/.kube/config
	--kube-endpoint PUBLIC_ENDPOINT
	--region 'ap-sydney-1'
	--token-version 2.0.0

  6. The command output should return the path to the new Kubeconfig file:

    New config written to the Kubeconfig file /home/user/.kube/config

  7. Run the kubectl patch serviceaccount command to set automountServiceAccountToken parameter to false. This automatically ensures that the token is not mounted in any new pods that utilize the specified service account. Replace and \<service-account-name\> and \<user-workload-namespace\> with your own information:

    kubectl patch serviceaccount <service-account-name> -n <user-workload-namespace> -p '{"automountServiceAccountToken": false}'

  8. The command output should return the confirmation status:

    serviceaccount/<dedicated-service-account> patched

  9. Run the kubectl patch deployment command to disable token automounting within the workload's template. This is necessary if modifying the base service account definition is not possible or if the deployment template explicitly overrides the service account setting. Replace \&tl;deployment-name\> and \<user-workload-namespace\> with your own details:

    kubectl patch deployment <deployment-name> -n <user-workload-namespace> -p '{"spec": {"template": {"spec": {"automountServiceAccountToken": false}}}}'

  10. The command output should return the confirmation status:

    deployment.apps/<deployment-name> patched

References

Publication date Dec 11, 2025

Related OCI-OKE rules