Logo

Kube-hunter hunts for security weaknesses in Kubernetes clusters

View the Project on GitHub aquasecurity/kube-hunter

Lookup Vulnerability
All vulnerabilies

KHV050 - Read access to Pod service account token

Issue description

Every Pod in Kubernetes is associated with a Service Account which by default has access to the Kubernetes API. This access is made available to Pods by an auto-generated token that is made available to the Pod by Kubernetes. An attacker with access to a Pod can read the token and access the Kubernetes API.

Remediation

It is recommended to explicitly specify a Service Account for all of your workloads (serviceAccountName in Pod.Spec), and manage their permissions according to the least privilege principle.

Consider opting out automatic mounting of SA token using automountServiceAccountToken: false on ServiceAccount resource or Pod.spec.

References