Welcome to the Linux Foundation Forum!

Setting automountServiceAccountToken to false

Hi,

Why would someone need to set automountServiceAccountToken to false? Well, if it's set to false, corresponding token is not mounted in filesystem and therefore the attacker (if it is able to get into) is not able to communicate with apiserver anyway. So, if pod does not need to communicate with apiserver, it seems a good idea not to mount token at all. But if pod does not need to communicate with apiserver, why not assign default service account to the pod (which does not have any permission by default).

And what to do if pod needs to communicate with apiserver? How can it get token if it's not mounted? Mount it explicitly? Pass it in env variable? The only reason I can see to set automountServiceAccountToken to false is to be able to mount token with different parameters (mount path, token filename, expiration...). But this does not prevent the attacker to access it.

Thanks,
Dmytro

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Categories

Upcoming Training