H3-2022-0094¶

Kubernetes Read with Service Account Token

Description¶

Service account tokens can be used to gain unauthorized access to the Kubernetes API. Depending on the permissions of the token, unauthorized access to cluster information may be obtained.

Impact¶

An attacker can use a service account token to make authenticated requests to the API Server and leak cluster information.

References¶

• Configure Service Accounts for Pods
• Using RBAC Authorization
• CIS Benchmarks: Securing Kubernetes
• CWE-269: Improper Privilege Management