- The repo houses a kubernetes controller that watches the
defaultservice account across all namespaces and sets theautomountServiceAccountfield to false - By setting
automountServiceAccountTokentofalsefor all default service accounts, the controller fulfills the control 5.1.5 set by CIS Kubernetes benchmark - The controller is based on the example controllers available here
- You will need to install
kind - You will also need to install
curl,docker,makeandkubectl
- Test uses the env test binaries and can be run locally using the following make target:
make tests- You can build and run the controller in a local kind cluster using the following make target:
make kind-
The above command will create a new Kind cluster called
demobased on kubernetes version1.33.1and will build and import the Docker image into the Kind nodes -
Once the docker image is loaded into the Kind cluster, you can run it as a Kubernetes deployment using the following make target:
make deploy- Check the logs from the controller using the following command:
make logs- To test the controller, you can create a new namespace and check the default service account in that namespace:
kubectl create namespace test-namespace
kubectl get serviceaccount default -n test-namespace -o yamlYou should see the automountServiceAccountToken field set to false in the output of the above command
Output:
apiVersion: v1
automountServiceAccountToken: false
kind: ServiceAccount
metadata:
creationTimestamp: "2025-07-01T16:36:52Z"
name: default
namespace: test-namespace
resourceVersion: "2450"
uid: a25876f2-6ecd-4d9a-ac48-c6ebc0ea49bb
- If you patch the service account to set
automountServiceAccountTokentotrue, the controller will automatically revert it back tofalse:
kubectl patch serviceaccount default -n test-namespace --type='json' -p='[{"op": "replace", "path": "/automountServiceAccountToken", "value": true}]'- Cleanup the test cluster
make kind-delete-cluster