C-0053 - Access container service account

Framework

AllControls, MITRE

Severity

Medium

Description of the the issue

Service account (SA) represents an application identity in Kubernetes. By default, an SA is mounted to every created pod in the cluster. Using the SA, containers in the pod can send requests to the Kubernetes API server. Attackers who get access to a pod can access the SA token (located in /var/run/secrets/kubernetes.io/serviceaccount/token) and perform actions in the cluster, according to the SA permissions. If RBAC is not enabled, the SA has unlimited permissions in the cluster. If RBAC is enabled, its permissions are determined by the RoleBindings\ClusterRoleBindings that are associated with it.

Related resources

ClusterRole, ClusterRoleBinding, CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, Role, RoleBinding, ServiceAccount, StatefulSet

What does this control test

Control checks if RBAC is enabled. If it's not, the SA has unlimited permissions. If RBAC is enabled, it lists all permissions for each SA.

Remediation

Verify that RBAC is enabled. Follow the least privilege principle and ensure that only necessary PODs have SA token mounted into them.

Example

No example