You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Kubescape's documentation states, that auto-mounting a service account token should be disabled in the service account itself, or the pod-level. It also states, that it is the pod-level that takes precedence. However, it seems Kubescape is only looking at the service account to determine whether or not a service account token is auto-mounted in a pod. This leads to a false positive, when auto-mounting is enabled at service-account-level, but disabled at pod-level. It also leads to a possibly worse false negative when auto-mounting is disabled at service-account-level, but enabled at pod-level.
Environment
OS: Pop!OS 22.04
Version: 3.0.7
Steps To Reproduce
I compiled a minimal chart demonstrating the issue as well as an exception.json to ignore all errors introduced by minimalising the example except C-0037
Description
Kubescape's documentation states, that auto-mounting a service account token should be disabled in the service account itself, or the pod-level. It also states, that it is the pod-level that takes precedence. However, it seems Kubescape is only looking at the service account to determine whether or not a service account token is auto-mounted in a pod. This leads to a false positive, when auto-mounting is enabled at service-account-level, but disabled at pod-level. It also leads to a possibly worse false negative when auto-mounting is disabled at service-account-level, but enabled at pod-level.
Environment
OS:
Pop!OS 22.04
Version: 3.0.7
Steps To Reproduce
I compiled a minimal chart demonstrating the issue as well as an exception.json to ignore all errors introduced by minimalising the example except C-0037
Expected behavior
The scan should report pods having enabled auto-mounting the service account token, and not report pods not auto-mounting the service account token
Actual Behavior
The scan should reports auto-mounting the service access token based only on the setting in the service-account itself.
The text was updated successfully, but these errors were encountered: