1.2.30 Ensure that the --service-account-extend-token-expiration parameter is set to false

Information

By default Kubernetes extends service account token lifetimes to one year to aid in transition from the legacy token settings.

This default setting is not ideal for security as it ignores other settings related to maximum token lifetime and means that a lost or stolen credential could be valid for an extended period of time.

Solution

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --service-account-extend-token-expiration parameter to false.

--service-account-extend-token-expiration=false

Impact:

Disabling this setting means that the service account token expiry set in the cluster will be enforced, and service account tokens will expire at the end of that time frame.

See Also

https://workbench.cisecurity.org/benchmarks/21709

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Unix

Control ID: a84fe5aae102711868aac4302f391eb4085a91ee3f2f38a1c470138ae7c4356b