Skip to content

Container service account


ID: MS-TA9016
Tactic: Credential Access, Lateral Movement, Persistence
MITRE technique: T1528

Service account (SA) represents an application identity in Kubernetes. By default, a Service Account access token is mounted to every created pod in the cluster and containers in the pod can send requests to the Kubernetes API server using the Service Account credentials. Attackers who get access to a pod can access the Service Account token (located in /var/run/secrets/ and perform actions in the cluster, according to the Service Account permissions. If RBAC is not enabled, the Service Account has unlimited permissions in the cluster. If RBAC is enabled, its permissions are determined by the RoleBindings \ ClusterRoleBindings that are associated with it.

An attacker which get access to the Service Account token can also authenticate and access the Kubernetes API server from outside the cluster and maintain access to the cluster.


ID Mitigation Description
MS-M9025 Disable Service Account Auto Mount Disable service account auto mount.
MS-M9003 Adhere to least-privilege principle Configure the Kubernetes RBAC such that each service account will have the minimal necessary permissions for the application’s functionality.