Question 350 of 997
Cluster Setup and HardeningmediumMultiple ChoiceObjective-mapped

Disabling Automatic Service Account Token Mounting

This CKS practice question tests your understanding of cluster setup and hardening. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

You are creating a ServiceAccount that should not automatically mount its token to pods. Which field should be set in the ServiceAccount manifest?

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

automountServiceAccountToken: false

Option A is correct because the `automountServiceAccountToken` field in a ServiceAccount manifest, when set to `false`, prevents pods using that ServiceAccount from automatically mounting the service account token as a volume. This is a security hardening measure to reduce the attack surface in case a pod is compromised, as the token could be used to authenticate to the Kubernetes API server.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • automountServiceAccountToken: false

    Why this is correct

    This field in the ServiceAccount spec disables automatic mounting of the service account token.

    Related concept

    Read the scenario before looking for a memorised answer.

  • disableAutomount: true

    Why it's wrong here

    No such field exists.

  • tokenMountDisabled: true

    Why it's wrong here

    No such field exists.

  • mountToken: false

    Why it's wrong here

    No such field exists.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates may confuse the ServiceAccount-level field with the Pod-level field of the same name, or invent non-existent field names like `disableAutomount` or `tokenMountDisabled`, instead of recalling the exact API field `automountServiceAccountToken`.

Detailed technical explanation

How to think about this question

Under the hood, when a ServiceAccount has `automountServiceAccountToken: false`, the Pod admission controller will not inject the projected service account token volume (typically mounted at `/var/run/secrets/kubernetes.io/serviceaccount`) into pods that reference that ServiceAccount. This is distinct from setting the same field at the Pod spec level, which overrides the ServiceAccount setting. In a real-world scenario, you might disable automatic token mounting for workloads that do not need to interact with the Kubernetes API, such as batch jobs or sidecar containers, to follow the principle of least privilege.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A practitioner preparing for the CKS exam encounters this exact type of scenario on the job. The correct answer here is not the most general option — it is the best answer for the specific constraint described. Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option. Real exam questions reward reading the full scenario before eliminating options, because the constraint defines which answer fits.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related CKS practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free CKS practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this CKS question test?

Cluster Setup and Hardening — This question tests Cluster Setup and Hardening — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: automountServiceAccountToken: false — Option A is correct because the `automountServiceAccountToken` field in a ServiceAccount manifest, when set to `false`, prevents pods using that ServiceAccount from automatically mounting the service account token as a volume. This is a security hardening measure to reduce the attack surface in case a pod is compromised, as the token could be used to authenticate to the Kubernetes API server.

What should I do if I get this CKS question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

5 more ways this is tested on CKS

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. Which of the following is a valid method to disable automatic mounting of service account tokens for a pod?

easy
  • A.Delete the service account token secret
  • B.Add 'automountServiceAccountToken: false' to the pod spec
  • C.Use a NetworkPolicy to block access to the token
  • D.Set the service account's 'automountServiceAccountToken' field to false

Why B: Option B is correct because setting `automountServiceAccountToken: false` in the pod spec explicitly disables the automatic mounting of the service account token into the pod. This is the most direct and granular way to prevent the token from being available inside the container, which is a key hardening step to reduce the attack surface if the pod does not need to interact with the Kubernetes API.

Variation 2. A security policy requires that all ServiceAccounts in a namespace do not automatically mount their tokens. How can this be achieved at the namespace level?

medium
  • A.Set automountServiceAccountToken: false in each pod spec
  • B.Use a PodSecurityPolicy to deny token mounting
  • C.Set automountServiceAccountToken: false in the ServiceAccount definition
  • D.Delete the default ServiceAccount

Why C: Setting `automountServiceAccountToken: false` in the ServiceAccount definition applies the setting to all pods that use that ServiceAccount, effectively enforcing the policy at the namespace level when the default or all ServiceAccounts are configured this way. This is the correct approach because the ServiceAccount's `automountServiceAccountToken` field controls token mounting for pods referencing it, overriding any pod-level setting unless explicitly set in the pod spec.

Variation 3. Which THREE of the following are valid methods to disable automount of service account tokens for a pod?

hard
  • A.Set --service-account-issuer flag on API server
  • B.Set env: - name: KUBERNETES_SERVICE_ACCOUNT_TOKEN to false
  • C.Set automountServiceAccountToken: false in the ServiceAccount YAML
  • D.Set spec.automountServiceAccountToken: false in the Pod spec
  • E.Use the 'default' service account with automount disabled

Why C: Option C is correct because setting `automountServiceAccountToken: false` in the ServiceAccount YAML disables automatic mounting of the service account token for all pods that use that ServiceAccount. This is a declarative way to prevent the Kubernetes API server from injecting the token volume into pods, which is a key security hardening step to reduce the attack surface from compromised pods.

Variation 4. A pod in namespace 'ns1' has automountServiceAccountToken: false. However, the container still has a mounted service account token at /var/run/secrets/kubernetes.io/serviceaccount. What is the most likely cause?

hard
  • A.The automountServiceAccountToken field is set in the container spec instead of the pod spec
  • B.The kubelet is configured to always mount tokens
  • C.The namespace has a default automountServiceAccountToken: true
  • D.The pod is using a custom service account with automountServiceAccountToken: true

Why A: The `automountServiceAccountToken` field is a pod-level setting. If it is set to `false` in the pod spec, the kubelet will not automatically mount the service account token. However, if the field is mistakenly set inside a container spec (which is not a valid field for containers), the pod-level setting is ignored, and the default behavior (mounting the token) applies. This is why the token still appears mounted despite the intention to disable it.

Variation 5. What is the purpose of the 'automountServiceAccountToken: false' setting in a Pod spec?

easy
  • A.It disables the service account controller
  • B.It prevents the automatic mounting of the service account token into the pod
  • C.It deletes the service account after the pod starts
  • D.It prevents the pod from using any service account

Why B: Setting `automountServiceAccountToken: false` in a Pod spec prevents the automatic mounting of the Kubernetes service account token (a JWT) into the Pod's filesystem at `/var/run/secrets/kubernetes.io/serviceaccount/token`. This is a security hardening measure to reduce the attack surface for compromised containers, as the token can be used to authenticate to the Kubernetes API server. By default, Kubernetes mounts this token into every Pod, so explicitly disabling it is necessary when the Pod does not require API access.

Keep practising

More CKS practice questions

Last reviewed: Jun 24, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This CKS practice question is part of Courseiva's free CNCF certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the CKS exam.