Question 12
Domain 2: Cluster HardeningWhat does setting automountServiceAccountToken: false on a Pod or ServiceAccount do?
Correct answer: A
Explanation
Task Statement 2.3 says to “Exercise caution in using service accounts” and specifically lists “Default service account auto-mount disable (automountServiceAccountToken: false).” This stops Kubernetes from mounting the service account token into the Pod, so the API access token is not automatically injected into the Pod filesystem.
Why each option is right or wrong
A. It prevents automatic injection of the API access token into the Pod filesystem
Kubernetes only auto-mounts a ServiceAccount token when the Pod is configured to receive one; setting `automountServiceAccountToken: false` on the Pod spec or the ServiceAccount disables that default mount, so the projected token volume is not created under the container filesystem. In current Kubernetes releases this is the documented control for service-account token auto-mounting, and with BoundServiceAccountTokenVolume the token would otherwise be injected as a projected volume for API authentication.
B. It deletes the ServiceAccount from the namespace
ServiceAccount objects remain in the namespace; only token auto-mounting is disabled.
C. It disables RBAC evaluation for the Pod
RBAC still evaluates Pod requests; this setting only controls service account token mounting.
D. It forces the Pod to use host networking
Host networking is controlled by the Pod spec's hostNetwork field, not service account token mounting.