Challenge, Easy,  on  Kubernetes

Disable ServiceAccount Token Automounting in a Pod

Scenario

Kubernetes mounts a ServiceAccount token into every Pod by default, but most Pods don't need API server access. Disabling it reduces the attack surface.

Task

Create a Pod in the default namespace that explicitly disables ServiceAccount token automounting.

The Pod should be named pod-no-token, use the httpd:trixie image, and have automountServiceAccountToken set to false. Verify that the token is not present inside the running Pod.

# Verify token is NOT mounted inside the pod
kubectl exec pod-no-token -- ls /var/run/secrets/kubernetes.io/serviceaccount/
Hint 1

To disable token automounting, set automountServiceAccountToken: false directly under spec in your Pod manifest.

See the official docs: Configure Service Accounts for Pods

Test Cases

How to Author Challenges on iximiuz Labs

Instead of providing a subpar online editing experience, iximiuz Labs offers a helper CLI tool called labctl, allowing you to use your favorite text editor (or a full-featured IDE) to write content from the comfort of your local machine.

Install labctl CLI

curl -sf https://labs.iximiuz.com/cli/install.sh | sh

This will download and install the latest version of the labctl CLI. You only need to do this once per workstation.

Authorize labctl

labctl auth login

This will open a browser window asking you to authorize labctl to access your account. You need to do it after a fresh install of labctl and repeat it whenever the auth session expires.

Pull challenge content

labctl content pull challenge disable-service-account-997a115e

This will create a local copy of the challenge content in a directory named disable-service-account-997a115e. You only need to do this once per challenge.

Stream your changes

labctl content push -fw challenge disable-service-account-997a115e

Run this command in a separate terminal to continuously upload your changes to the server while editing the challenge in your favorite text editor or IDE.

You can also use labctl to create, list, and delete your content. Learn more about the available commands: labctl content --help

Start challenge