Challenge, Medium,  on  Kubernetes

Secure ServiceAccount Token Mounting Using Projected Volumes

Scenario

A Deployment manifest is located on dev-machine at:

/home/laborant/secure-app.yaml

It defines a Deployment named secure-app in the prod namespace using the ServiceAccount app-sa.

By default, Kubernetes automatically mounts a ServiceAccount token into every Pod at /var/run/secrets/kubernetes.io/serviceaccount/token. This token never expires — if the Pod is compromised, the token can be used indefinitely.

Cluster security policy requires this default behaviour to be disabled and replaced with a short-lived projected token mounted at a controlled path.

Task

Update the manifest at /home/laborant/secure-app.yaml and apply it to the cluster:

1. Disable automatic ServiceAccount token mounting on the Pod spec.

2. Add a projected volume with a ServiceAccount token that has:

  • audience: api
  • expiration: 3600 seconds
  • path: token

3. Mount the projected volume into app-container at /var/run/secrets/tokens.

  • Do not change the ServiceAccount name — app-sa must remain as the serviceAccountName in the Pod spec.
  • Ensure the old Pod is terminated and a new Pod is created successfully by the Deployment.
Hint

Set automountServiceAccountToken: false under spec.template.spec.

Use volumes[].projected.sources[].serviceAccountToken to define the token.

Mount it using volumeMounts in app-container.

See: Projected Volumes

Test Cases

How to Author Challenges on iximiuz Labs

Instead of providing a subpar online editing experience, iximiuz Labs offers a helper CLI tool called labctl, allowing you to use your favorite text editor (or a full-featured IDE) to write content from the comfort of your local machine.

Install labctl CLI

curl -sf https://labs.iximiuz.com/cli/install.sh | sh

This will download and install the latest version of the labctl CLI. You only need to do this once per workstation.

Authorize labctl

labctl auth login

This will open a browser window asking you to authorize labctl to access your account. You need to do it after a fresh install of labctl and repeat it whenever the auth session expires.

Pull challenge content

labctl content pull challenge secure-serviceaccount-token-mounting-using-projected-volumes-4a3ac9db

This will create a local copy of the challenge content in a directory named secure-serviceaccount-token-mounting-using-projected-volumes-4a3ac9db. You only need to do this once per challenge.

Stream your changes

labctl content push -fw challenge secure-serviceaccount-token-mounting-using-projected-volumes-4a3ac9db

Run this command in a separate terminal to continuously upload your changes to the server while editing the challenge in your favorite text editor or IDE.

You can also use labctl to create, list, and delete your content. Learn more about the available commands: labctl content --help

Start challenge