C-0053 - Access container service account
Framework
MITRE, AllControls
Severity
Medium
Description of the the issue
Service account (SA) represents an application identity in Kubernetes. By default, an SA is mounted to every created pod in the cluster. Using the SA, containers in the pod can send requests to the Kubernetes API server. Attackers who get access to a pod can access the SA token (located in /var/run/secrets/kubernetes.io/serviceaccount/token) and perform actions in the cluster, according to the SA permissions. If RBAC is not enabled, the SA has unlimited permissions in the cluster. If RBAC is enabled, its permissions are determined by the RoleBindings\ClusterRoleBindings that are associated with it.
Related resources
ClusterRole, ClusterRoleBinding, Role, RoleBinding
What does this control test
Control checks if RBAC is enabled. If it's not, the SA has unlimited permissions. If RBAC is enabled, it lists all permissions for each SA.
Remediation
Verify that RBAC is enabled. Follow the least privilege principle and ensure that only necessary pods have SA token mounted into them.
Example
No example
Updated 3 days ago