github/kube-hunter
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-hunter.git synced 2026-05-24 10:02:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
bf7023d01c08086ec5cf2a836da3b451b4fcd2b2
kube-hunter/docs/_kb/KHV050.md
Itay Shakury 8cc90db8f5 add kb index (#252)
2019-10-30 20:38:16 +02:00

957 B
Raw Blame History

vid, title, categories
vid title categories
KHV050 Read access to Pod service account token
Access Risk

{{ page.vid }} - {{ page.title }}

Issue description

Every Pod in Kubernetes is associated with a Service Account which by default has access to the Kubernetes API. This access is made available to Pods by an auto-generated token that is made available to the Pod by Kubernetes. An attacker with access to a Pod can read the token and access the Kubernetes API.

Remediation

It is recommended to explicitly specify a Service Account for all of your workloads (serviceAccountName in Pod.Spec), and manage their permissions according to the least privilege principle.

Consider opting out automatic mounting of SA token using automountServiceAccountToken: false on ServiceAccount resource or Pod.spec.

References

Reference in New Issue View Git Blame Copy Permalink