kubernetes clusters should disable automounting API credentials

[WickramBug]

Getting Azure Defender Recommendation as follows for the following containers.

Recommendation
"Kubernetes clusters should disable automounting API credentials"

Containers

1. csi-secrets-store/csi-secrets-store-provider-secrets-store-csi-driver-z4cdg
2. csi-secrets-store/csi-secrets-store-provider-secrets-store-csi-driver-5gfhh
3. csi-secrets-store/csi-secrets-store-provider-csi-secrets-store-provider-azurmr67h
4. csi-secrets-store/csi-secrets-store-provider-csi-secrets-store-provider-azurc2lrk

Are the auto mounting API credentials needed for these containers? If not how do we disable it on the above-mentioned containers?

Highly appreciate your input on this.

[aramase]

Hello 👋🏻

The service account token generated and mounted in the driver is required because the driver communicates with the Kube API server. Disabling it would render the driver unusable. Have you tried deploying the driver and provider in kube-system namespace to check if that resolves the warning?

Checkout "Why kube-system" section in the installation

[WickramBug]

Hello @aramase,

Thank you so much for your suggestion.

Since the account token generation is needed for this, we have decided to exclude the namespace that is related to csi-secret as a workaround. Therefore, I will mark your answer as solved.