Ensure that the –service-account-lookup argument is set to true
| Property | |
|---|---|
| Language |  |
| Severity |  |
Description#
The Kubernetes API server is configured with ‘–service-account-lookup=false’, which skips validating that service accounts referenced by tokens actually exist and are active. This can allow the use of invalid or deleted service accounts for authentication.
Impact#
If exploited, deleted or unauthorized service account tokens could still be accepted by the API server, potentially allowing attackers to access cluster resources with stale or invalid credentials and bypass intended access controls.
Resolution#
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the below parameter.