96 lines
3.0 KiB
Plaintext
96 lines
3.0 KiB
Plaintext
== Why is this an issue?
|
|
|
|
Service account tokens are Kubernetes secrets created automatically to authenticate applications running inside pods to the API server. If a pod is compromised, an attacker could use this token to gain access to other resources in the cluster.
|
|
|
|
For example, they could create new pods, modify existing ones, or even delete critical system pods, depending on the permissions associated with the service account.
|
|
|
|
Therefore, it's recommended to disable the automounting of service account tokens when it's not necessary for the application running in the pod.
|
|
|
|
=== What is the potential impact?
|
|
|
|
==== Unauthorized Access
|
|
If a pod with a mounted service account gets compromised, an attacker could potentially use the token to interact with the Kubernetes API, possibly leading to unauthorized access to other resources in the cluster.
|
|
|
|
==== Privilege Escalation
|
|
Service account tokens are often bound with roles that have extensive permissions. If these tokens are exposed, it could lead to privilege escalation where an attacker gains higher-level permissions than intended.
|
|
|
|
==== Data Breach
|
|
Service account tokens can be used to access sensitive data stored in the Kubernetes cluster. If these tokens are compromised, it could lead to a data breach.
|
|
|
|
==== Denial of Service
|
|
An attacker with access to a service account token could potentially overload the Kubernetes API server by sending a large number of requests, leading to a Denial of Service (DoS) attack.
|
|
|
|
|
|
== How to fix it
|
|
//== How to fix it in FRAMEWORK NAME
|
|
|
|
=== Code examples
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,yaml,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: example-pod
|
|
spec: # Noncompliant
|
|
containers:
|
|
- name: example-pod
|
|
image: nginx:1.25.3
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,yaml,diff-id=1,diff-type=compliant]
|
|
----
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: example-pod
|
|
spec:
|
|
containers:
|
|
- name: example-pod
|
|
image: nginx:1.25.3
|
|
automountServiceAccountToken: false
|
|
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
The automounting of service account tokens can be disabled by setting `automountServiceAccountToken: false` in the pod's specification. Additionally, it can be disabled in the configuration of an accompanied service account.
|
|
|
|
|
|
// === Pitfalls
|
|
//=== Going the extra mile
|
|
|
|
|
|
== Resources
|
|
=== Documentation
|
|
|
|
* Kubernetes Documentation - https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/[Configure Service Accounts for Pods]
|
|
|
|
//=== Articles & blog posts
|
|
//=== Conference presentations
|
|
=== Standards
|
|
|
|
* CWE - https://cwe.mitre.org/data/definitions/306[CWE-306 - Missing Authentication for Critical Function]
|
|
//=== External coding guidelines
|
|
//=== Benchmarks
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Set automountServiceAccountToken to false for this specification of kind `kind=Pod|Deployment...`.
|
|
|
|
|
|
=== Highlighting
|
|
|
|
* Highlight the `containers` property.
|
|
endif::env-github,rspecator-view[]
|