By default, every pod in Kubernetes is assigned the default ServiceAccount, which includes an automatically mounted token (Before v1.22) that grants the pod access to the Kubernetes API. This convenience, however, introduces several security risks:
Excessive Permissions: The default ServiceAccount token may provide more permissions than necessary, granting pods access to the Kubernetes API, potentially including sensitive or critical cluster resources. This can be exploited by attackers to perform unauthorized actions within the cluster.
Privilege Escalation: If an attacker compromises a pod, they can use the default ServiceAccount token to interact with the Kubernetes API, escalating privileges and potentially compromising the entire cluster.
Violation of Least Privilege Principle: Automatically mounting the default ServiceAccount token violates the principle of least privilege, which states that each pod should only have the minimum permissions required for its specific function. This unnecessarily broadens the scope of access for every pod in the cluster.
To mitigate these risks, it is essential to deactivate the automatic mounting of the default ServiceAccount token and assign specific permissions to each pod as needed.
