Profile applicability: Level 1 - Master Node
Validate service account before validating token.
If
--service-account-lookup is not enabled, the apiserver only verifies that
the authentication token is valid, and does not validate that the service account
token mentioned
in the request is actually present in etcd. This allows using a service account token
even after
the corresponding service account is deleted. This is an example of time of check
to time of use
security issue. |
NoteBy default,
--service-account-lookup argument is set to
true. |
Audit
Run the following command on the Control Plane node:
ps -ef | grep kube-apiserver
Verify that if the
--service-account-lookup argument exists it is set to
true.Remediation
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on
the Control Plane node and set the below parameter.
--service-account-lookup=true
Alternatively, you can delete the
--service-account-lookup parameter from
this file so that the default takes effect.