H3-2021-0007

Kubernetes Service Account Token Exposure

Description

Every pod in Kubernetes is associated with a service account which by default has access to the Kubernetes API. This access is made available to pods by Kubernetes via an auto-generated token.

Impact

If exposed, an attacker can use a service account token to access sensitive information via requests to the API Server.

References

• Configure Service Accounts for Pods
• Using RBAC Authorization
• CIS Benchmarks: Securing Kubernetes
• MITRE ATT&CK Technique: T1528: Steal Application Access Token