TF 0409 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Ensure that the --service-account-private-key-file argument is set as appropriate
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
Description
The kube-controller-manager is not explicitly configured with the --service-account-private-key-file argument, resulting in the use of a default or unset private key for signing service account tokens. This misconfiguration can lead to insecure token generation and handling.
Impact
Without specifying the correct private key file, service account tokens may be improperly signed or vulnerable to forgery, potentially allowing attackers to impersonate service accounts and escalate privileges within the Kubernetes cluster.
Resolution
Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the Control Plane node and set the --service-account-private-key-file parameter to the private key file for service accounts.