Every Pod in Kubernetes is associated with a Service Account which by default has access to the Kubernetes API. This access is made available to Pods by an auto-generated token that is made available to the Pod by Kubernetes. An attacker with access to a Pod can read the token and access the Kubernetes API.
It is recommended to explicitly specify a Service Account for all of your workloads (
Pod.Spec), and manage their permissions according to the least privilege principle.
Consider opting out automatic mounting of SA token using
automountServiceAccountToken: false on
ServiceAccount resource or