The control says:

The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.

Supplemental Guidance: Organizations exercise caution in determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators. This is irrespective of whether that representation is perhaps an encrypted version of something else (e.g., a password).

What we need to answer is:

• given that this control is part of the IA-family, does just setting up an IDP that doesn't store the passwords satisfy the control?
• if this control applies in a broader sense, we also need to include checking the keys' permissions
• given that secrets are stored in etcd, we should mandate that etcd is encrypted
• not mounting the SA access tokens in pods would help, too