Measures

Automount default Service Account

The recommendation here is that the following command be used in each namespace:

kubectl -n <Namespace> patch serviceaccount default -p "automountServiceAccountToken: false"

which does not automatically mount the default ServiceAccount in any Pod. This implies that for each Pod a separate ServiceAccount with the necessary rights must be created and mounted in the Pod.


Included in the following risks

Design Escapes