AKS Uncategorized

Azure AKS – Reviewing recommendations from Security Center – Disabling Automounting API Credentials

You might see the following recommendation in Azure Security Center (Assuming you have enabled the security center add-on for AKS).

I did short write-up how such credentials are used from possibly compromised POD

[ASC] Kubernetes clusters should disable automounting API credentials

Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters.

How the feature works from POD side?

  • You should see credentials when checking: kubectl exec "yourPod" -n "namespace" cat /var/run/secrets/kubernetes.io/serviceaccount/token
  • if you see credentials then the default POD identity can query the api server
## --insecure if you dont want to read the CA cert...
curl --header "Authorization: Bearer ${TOKEN}" -X GET https://kubernetes.default.svc/api/v1/ --insecure


  • You can read such events from Azure Log Analytics (Or Sentinel enabled workspace)
    • Example read where the attacker is using CURL from the compromised POD

| where TimeGenerated > now() - 10min
| extend auditL = parse_json(log_s)
| where auditL['requestURI'] contains "api"
| where auditL['userAgent'] contains "curl"
| project auditL
| evaluate bag_unpack(auditL)


Kubernetes versions since 1.6 allow settings the ”automountServiceAccountToken” to false

#From AKS documentation (Source below)
apiVersion: v1
kind: ServiceAccount
  name: build-robot
automountServiceAccountToken: false


MS Security Center



0 comments on “Azure AKS – Reviewing recommendations from Security Center – Disabling Automounting API Credentials


Täytä tietosi alle tai klikkaa kuvaketta kirjautuaksesi sisään:


Olet kommentoimassa WordPress.com -tilin nimissä. Log Out /  Muuta )


Olet kommentoimassa Facebook -tilin nimissä. Log Out /  Muuta )

Muodostetaan yhteyttä palveluun %s

%d bloggaajaa tykkää tästä: