TF 0353 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Ensure that the --service-account-key-file argument is set as appropriate
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
Description
The kube-apiserver is not explicitly configured with the --service-account-key-file argument, leaving it to use the default key or none at all. This can lead to improper validation of service account tokens issued by the cluster.
Impact
Without explicitly specifying the service account public key file, unauthorized parties could exploit weak or missing token validation to impersonate service accounts, potentially gaining unauthorized access to cluster resources and escalating privileges within the Kubernetes environment.
Resolution
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --service-account-key-file parameter to the public key file for service accounts.