Why Kubernetes ServiceAccount Tokens Leak in Production

Episode notes

Kubernetes ServiceAccount tokens are often treated as invisible plumbing, but misconfigured automount and long-lived secrets create real security holes. In this episode, Lucas and Luna walk through a common leak pattern: a CI/CD pipeline that exposes a default token to a compromised sidecar. They explain how bound service account tokens (projected volumes) close the gap, why tools like kube-bench and OPA Gatekeeper can catch the drift, and what a production-hardened automount policy looks like. Specific numbers: a single leaked token in a multi-tenant cluster can escalate to namespace-wide access within seconds. Practical takeaway: disable automountServiceAccountToken on workloads that don't need it, and audit existing deployments with a regex search for mount paths. If today's tech conversation gave you something usable, buy me a coffee dot com slash fexingo keeps these episodes ad-free and focused on real ops. #Kubernetes #DevOps #ServiceAccount #TokenLeak #Security #CloudNative #K8sSecurity #CI/CD #Sidecar #BoundToken #ProjectedVolume #OPAGatekeeper #KubeBench #MultiTenant #ClusterOps #Technology #TechPodcast #FexingoBusiness Keep every episode free: buymeacoffee.com/fexingo