Question 14
Domain 2: Cluster HardeningA security engineer wants to reduce unnecessary credential exposure for workloads that do not need Kubernetes API access. Which Pod configuration best disables automatic mounting of the default service account token?
Correct answer: B
Explanation
To prevent a Pod from automatically receiving a service account token, set `automountServiceAccountToken` to `false` in the Pod configuration. This is the direct control used to disable default token auto-mounting. — cks_syllabus.txt
Why each option is right or wrong
A. Set `serviceAccountName: false` in the Pod spec to stop token injection.
`serviceAccountName` selects an account name; it does not disable token auto-mounting.
B. Set `automountServiceAccountToken: false` in the Pod spec to prevent token mounting.
The source material identifies `automountServiceAccountToken: false` as the setting used to disable default service account auto-mounting for a workload, which directly addresses the goal of preventing automatic token exposure in the Pod.
C. Set `automountServiceAccountToken: true` in the Pod spec to block default token use.
`true` enables automatic mounting rather than disabling it.
D. Set `defaultServiceAccountToken: false` in the Pod spec to disable the token mount.
`automountServiceAccountToken` is the supported field named in the source material.