Property
Language
Severity

Description

The kube-apiserver is not explicitly configured with the –service-account-key-file argument, leaving it to use the default key or none at all. This can lead to improper validation of service account tokens issued by the cluster.

Impact

Without explicitly specifying the service account public key file, unauthorized parties could exploit weak or missing token validation to impersonate service accounts, potentially gaining unauthorized access to cluster resources and escalating privileges within the Kubernetes environment.

Property
Language
Severity

Description

The Kubernetes API server is configured with ‘–service-account-lookup=false’, which skips validating that service accounts referenced by tokens actually exist and are active. This can allow the use of invalid or deleted service accounts for authentication.

Impact

If exploited, deleted or unauthorized service account tokens could still be accepted by the API server, potentially allowing attackers to access cluster resources with stale or invalid credentials and bypass intended access controls.

Property
Language
Severity

Description

The kube-controller-manager is not explicitly configured with the –service-account-private-key-file argument, resulting in the use of a default or unset private key for signing service account tokens. This misconfiguration can lead to insecure token generation and handling.

Impact

Without specifying the correct private key file, service account tokens may be improperly signed or vulnerable to forgery, potentially allowing attackers to impersonate service accounts and escalate privileges within the Kubernetes cluster.

Property
Language
Severity

Description

Do not disable timeouts on streaming connections.

Resolution

Edit the kubelet service file /etc/kubernetes/kubelet.conf and set –streaming-connection-idle-timeout=5m

Property
Language
Severity

Description

The Kubernetes Controller Manager is missing the –terminated-pod-gc-threshold argument, which controls the automatic cleanup of terminated pods. Without this setting, old pod resources may accumulate unnecessarily.

Impact

Failure to set an appropriate threshold can lead to resource exhaustion on the control plane due to excessive terminated pods, potentially degrading cluster performance and stability, and increasing management overhead.

Resolution

Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the Control Plane node and set the –terminated-pod-gc-threshold to an appropriate threshold.

Property
Language
Severity

Description

The Kubernetes API server is not configured with the –tls-cert-file and –tls-private-key-file flags, meaning it may accept unencrypted connections. This leaves API traffic vulnerable to interception and tampering.

Impact

Without TLS, sensitive data—including authentication tokens and cluster configuration—can be exposed to network attackers. This could allow unauthorized access, credential theft, or manipulation of cluster operations, undermining the entire security of the Kubernetes environment.

Property
Language
Severity

Description

Setup TLS connection on the Kubelets.

Resolution

If using a Kubelet config file, edit the file to set tlsCertFile to the location

Property
Language
Severity

Description

Kubelet instances are running without a properly configured –tls-key-file argument, meaning communication with the Kubelet may occur without TLS encryption. This exposes sensitive node traffic to interception and tampering.

Impact

Without TLS key configuration, attackers could intercept or manipulate data exchanged between Kubernetes nodes and the control plane, potentially gaining access to credentials, workloads, or cluster management functions, leading to cluster compromise or data breaches.

Property
Language
Severity

Description

The Kubernetes API server is configured with the –token-auth-file parameter, enabling static token-based authentication, which is insecure and not recommended. This approach lacks robust management and revocation features, increasing the risk of unauthorized access.

Impact

If exploited, attackers could authenticate to the Kubernetes API server using static tokens, potentially gaining unauthorized access to cluster resources. Compromised tokens are difficult to revoke, increasing the risk of persistent unauthorized control or data exposure.

Property
Language
Severity

Description

The kube-controller-manager is not configured to use individual service account credentials for each controller, as the –use-service-account-credentials argument is not set to true. This results in all controllers sharing the same set of credentials, reducing isolation between components.

Impact

If exploited, this misconfiguration could allow a compromised controller to access resources or perform actions intended only for other controllers, increasing the risk of privilege escalation and lateral movement within the cluster.