Block access to the ServiceAccount token that is available inside of each Pod

[flavio]

Each Pod scheduled by Kubernetes has the following contents under /var/run/secrets/kubernetes.io:

bash-5.0# ls -l /var/run/secrets/kubernetes.io/serviceaccount/
total 0
lrwxrwxrwx    1 root     root            13 Nov 13 07:22 ca.crt -> ..data/ca.crt
lrwxrwxrwx    1 root     root            16 Nov 13 07:22 namespace -> ..data/namespace
lrwxrwxrwx    1 root     root            12 Nov 13 07:22 token -> ..data/token

The majority of the containerized workloads do not need to interact with the Kubernetes API server. Hence they don't need to read the token that is associated with the ServiceAccount used to create the Pod.

On the other hand, an attacker can use this token to perform nasty operations against the API server and potentially find a way to escape (for example: start a privileged Pod in the same Namespace).

[mjura]

This change was addressed in #103

[vadorovsky]

This change was addressed in #103

Next time you can reference issues by writing Fixes: #103 in your commit message and pull request. After doing so, if the PR gets merged, issue gets closed and moved on the project board without necessity of doing that manually.

[vadorovsky]

It's done.