C-0287 - Service account token authentication should not be used for users

Prerequisites

Run Kubescape with host sensor (see here)

Framework

cis-v1.10.0

Severity

Medium

Description of the the issue

With any authentication mechanism the ability to revoke credentials if they are compromised or no longer required, is a key control. Service account token authentication does not allow for this due to the use of JWT tokens as an underlying technology.

Related resources

What does this control test

Kubernetes provides service account tokens which are intended for use by workloads running in the Kubernetes cluster, for authentication to the API server.

These tokens are not designed for use by end-users and do not provide for features such as revocation or expiry, making them insecure. A newer version of the feature (Bound service account token volumes) does introduce expiry but still does not allow for specific revocation.

How to check it manually

Review user access to the cluster and ensure that users are not making use of service account token authentication.

Remediation

Alternative mechanisms provided by Kubernetes such as the use of OIDC should be implemented in place of service account tokens.

Impact Statement

External mechanisms for authentication generally require additional software to be deployed.

Default Value

Service account token authentication is enabled by default.

Example

No example