From 549bef7fecc28c3374f976e97cad2c7aaf5074a2 Mon Sep 17 00:00:00 2001
From: Nelson Roberts <nelson@rancher.com>
Date: Fri, 10 Jul 2020 10:35:11 -0700
Subject: [PATCH] EIO-135: call out specific namespaces for default service
 accounts

---
 content/rancher/v2.x/en/security/hardening-2.4/_index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/rancher/v2.x/en/security/hardening-2.4/_index.md b/content/rancher/v2.x/en/security/hardening-2.4/_index.md
index 90eac2a0e35..d4ddfccc434 100644
--- a/content/rancher/v2.x/en/security/hardening-2.4/_index.md
+++ b/content/rancher/v2.x/en/security/hardening-2.4/_index.md
@@ -66,7 +66,7 @@ services:
 #### Set `automountServiceAccountToken` to `false` for `default` service accounts
 Kubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.  
 
-For each namespace the **default** service account must include this value:
+For each namespace including **default** and **kube-system** on a standard RKE install the **default** service account must include this value:
 
 ```
 automountServiceAccountToken: false