C-0135 - Ensure that the API Server --service-account-lookup argument is set to true





Description of the the issue

If --service-account-lookup is not enabled, the apiserver only verifies that the authentication token is valid, and does not validate that the service account token mentioned in the request is actually present in etcd. This allows using a service account token even after the corresponding service account is deleted. This is an example of time of check to time of use security issue.

Related resources


What does this control test

Validate service account before validating token.

How to check it manually

Run the following command on the Control Plane node:

ps -ef | grep kube-apiserver

Verify that if the --service-account-lookup argument exists it is set to true.


Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the below parameter.


Alternatively, you can delete the --service-account-lookup parameter from this file so that the default takes effect.

Impact Statement


Default Value

By default, --service-account-lookup argument is set to true.


No example