Ensure that the --service-account-lookup argument is set to true

MEDIUM

Description

Description:

Validate service account before validating token.

Rationale:

If '--service-account-lookup' is not enabled, the apiserver only verifies that the authentication token is valid, and does not validate that the service account token mentioned in the request is actually present in etcd. This allows using a service account token even after the corresponding service account is deleted. This is an example of time of check to time of use security issue.

Remediation

Edit the API server pod specification file '/etc/kubernetes/manifests/kube-apiserver.yaml' on the master node and set the below parameter.

--service-account-lookup=true

Alternatively, you can delete the '--service-account-lookup' parameter from this file so that the default takes effect.

Policy Details

Rule Reference ID: AC_K8S_0036

CSP: Kubernetes

Remediation Available: No

Domain: Identity and Access Management

Resource: kubernetes_pod

Resource Category: Compute

Resource Type: Pod

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
ISO-27001
CIS Kubernetes v1.6.1 Level 1 - Master Node
CIS Kubernetes v1.4.0 Level 1