You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am not deeply familiar with the scope of the pod security admission policies. However, it seems that setting automountServiceAccountToken to true (the default) on a pod spec can allow a pod to escalate privileges via kubernetes API access. Is there a reason there is not a rule for this pod spec configuration in the Pod Security Standards?
The text was updated successfully, but these errors were encountered:
While I think the ability to restrict automountServiceAccountToken would be helpful in a general purpose admission policy library, which this apparently is not, I don't think it would be feasible to enforce it in all namespaces at this time, for the reasons explained here:
I am not deeply familiar with the scope of the pod security admission policies. However, it seems that setting
automountServiceAccountToken
totrue
(the default) on a pod spec can allow a pod to escalate privileges via kubernetes API access. Is there a reason there is not a rule for this pod spec configuration in the Pod Security Standards?The text was updated successfully, but these errors were encountered: