Back to all scenarios
Scenario #271
Security
Kubernetes v1.23, AKS

Service Account Token Mounted in All Pods

All pods had default service account tokens mounted, increasing the risk of credential leakage.

Find this helpful?
What Happened

Developers were unaware that service account tokens were being auto-mounted into every pod, even when not required. If any pod was compromised, its token could be misused to access the Kubernetes API.

Diagnosis Steps
  • 1Inspected pod specs for automountServiceAccountToken.
  • 2Found all pods had tokens mounted by default.
  • 3Reviewed logs and discovered unnecessary API calls using those tokens.
Root Cause

The default behavior of auto-mounting tokens was not overridden.

Fix/Workaround
• Set automountServiceAccountToken: false in non-privileged pods.
• Reviewed RBAC permissions to ensure tokens were scoped correctly.
Lessons Learned

Don’t give more access than necessary ; disable token mounts where not needed.

How to Avoid
  • 1Disable token mounting unless required.
  • 2Enforce security-aware pod templates across teams.
Previous ScenarioNext Scenario