No service account public key file
ID |
api_server_service_account_key_file |
Severity |
low |
Vendor |
Kubernetes |
Resource |
kube-apiserver |
Tags |
reachable |
Description
A security best practice is to routinely rotate your key pair used to sign the service account tokens. By default, if no --service-account-key-file is specified to the apiserver, it uses the private key from the TLS serving certificate.
To ensure that the keys for service account tokens could be rotated as needed --service-account-key-file should be use to specify the public key to the api server.
Learn more about this topic at Managing Service Accounts.
Examples
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: weak
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver (1)
- --authorization-mode=RBAC,Node
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0| 1 | When --service-account-key-file is not set, service account token couldn’t be ensure it is rotate. |
Mitigation / Fix
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: good
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --authorization-mode=RBAC,Node
- --service-account-key-file=/app/keys/key.pem (1)
image: gcr.io/<image>| 1 | Verify --service-account-key-file is set explicitly. |