TF 0464 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Ensure that the --service-account-lookup argument is set to true
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
Description
The Kubernetes API server is configured with '--service-account-lookup=false', which skips validating that service accounts referenced by tokens actually exist and are active. This can allow the use of invalid or deleted service accounts for authentication.
Impact
If exploited, deleted or unauthorized service account tokens could still be accepted by the API server, potentially allowing attackers to access cluster resources with stale or invalid credentials and bypass intended access controls.
Resolution
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the below parameter.