> ## Documentation Index
> Fetch the complete documentation index at: https://guide.codepure.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Ensure Default Service Accounts Are Not Actively Used (CIS 5.1.5)

> Improve auditability and security by disabling the default service account token mounting

## Impact & Risk Analysis

* **Severity:** Medium
* **CIS Benchmark:** CIS 5.1.5
* **Impact:** **Implicit Privilege & Audit Gaps.** Every namespace has a `default` service account. If you do not specify a service account for a Pod, it uses this default one. If this account is inadvertently granted permissions, *every* pod in that namespace inherits those permissions. This makes it impossible to audit which specific application performed an action and violates the principle of least privilege.

## Common Misconfiguration

Leaving `automountServiceAccountToken: true` (the default) on the `default` service account. This means every pod gets a JWT token mounted at `/var/run/secrets/kubernetes.io/serviceaccount`, even if the application doesn't need to talk to the Kubernetes API.

## Vulnerable Example

```yaml theme={null}
# Vulnerable Service Account (Default)
apiVersion: v1
kind: ServiceAccount
metadata:
  name: default
  namespace: my-app
# VULNERABLE: Tokens are mounted automatically to all pods
automountServiceAccountToken: true

```

## Secure Example

```yaml theme={null}
# Secure Service Account (Default)
# We disable token mounting to prevent unused tokens from existing in pods
apiVersion: v1
kind: ServiceAccount
metadata:
  name: default
  namespace: my-app
# SECURE: No token is mounted unless explicitly requested
automountServiceAccountToken: false

```

```yaml theme={null}
# Secure Workload
# Use a specific, dedicated service account for apps that NEED access
apiVersion: v1
kind: Pod
metadata:
  name: my-api-client
spec:
  # SECURE: Explicitly use a custom service account
  serviceAccountName: my-custom-sa
  containers:
  - name: app
    image: my-app:latest

```

## Audit Procedure

For each namespace in the cluster, ensure that the `automountServiceAccountToken` setting is set to `false` for the `default` service account.

```bash theme={null}
# Check all default service accounts
kubectl get serviceaccounts --all-namespaces -o jsonpath='{range .items[?(@.metadata.name=="default")]}{.metadata.namespace}{": "}{.automountServiceAccountToken}{"\n"}{end}'

```

* **Result:** The output should show `false` for every namespace.
* **Fail:** If the output shows `true` or is empty (which implies `true` by default).

Additionally, verify that no Roles or ClusterRoles are bound to the `default` service account.

## Remediation

1. **Create Explicit Accounts:** Create specific service accounts for any workload that actually requires access to the Kubernetes API.
2. **Disable Default Token:** Modify the `default` service account in every namespace to disable automatic token mounting.

```bash theme={null}
kubectl patch serviceaccount default -p '{"automountServiceAccountToken": false}'

```
