1.2.26 Ensure that the --service-account-lookup argument is set to true

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Validate service account before validating token.

Rationale:

If --service-account-lookup is not enabled, the apiserver only verifies that the authentication token is valid, and does not validate that the service account token mentioned in the request is actually present in etcd. This allows using a service account token even after the corresponding service account is deleted. This is an example of time of check to time of use security issue.

Impact:

None

Solution

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter.

--service-account-lookup=true

Alternatively, you can delete the --service-account-lookup parameter from this file so that the default takes effect.

Default Value:

By default, --service-account-lookup argument is set to true.

See Also

https://workbench.cisecurity.org/files/3371

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(13), CSCv6|16, CSCv7|16

Plugin: Unix

Control ID: 0d3e0028bd1661481cbea42659e8b49f03ddacd5fb497a232d7d1544af217e11