Kubernetes clusters should disable automounting API credentials

HIGH

Prevents Kubernetes from automatically mounting service account API tokens into pods that do not need them.

What does this mean?

By default, Kubernetes mounts a service account API token into every pod. If a pod is compromised, this token can be used to interact with the Kubernetes API. This recommendation disables automatic mounting unless explicitly required.

Benefits of implementation

Reduces the attack surface if a pod is compromised
Prevents lateral movement within the cluster via API tokens
Follows the principle of least privilege

Drawbacks and considerations

Pods that legitimately need API access must explicitly request it
May break existing workloads that rely on default service account tokens
Requires per-workload evaluation of API access needs

Implementation

Implementation guidance coming soon.

Related recommendations will be linked here.

Frameworks

BIO MCSB Defender for Cloud Recommendations

Details

Risk Level: HIGH
Category: Kubernetes / AKS
Azure Resource
Frameworks: 3 frameworks
Last updated: 2026-02-12