Kubernetes JWT

ID

kubernetes_jwt

Severity

high

Vendor

Kubernetes

Family

API Token

Description

Kubernetes is an open-source container orchestration system for automating software deployment, scaling, and management.

This detector looks for the JWT Token.

JSON Web Tokens (JWT) represent claims securely between two parties. They follow the open standard RFC 7519.

JWT are JSON objects containing the claims and signed using HMAC or public key/private keypair. It contains three parts: a header, a payload and a signature. header and payload are base-64 encoded JSON objects.

Security

Any leakage of the Kubernetes JWT is important. If the token is verified as active, severity is increased.

Examples

The following example shows a hardcoded Kubernetes JWT in a YAML script:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpzdXBlcmFkbWluIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE4OTAwNDQ2ODAsImlzcyI6Imt1YmVybmV0ZXMvc2VydmljZWFjY291bnQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L25hbWVzcGFjZSI6ImRlZmF1bHQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoic3VwZXJhZG1pbi10b2tlbi1jbXc3YyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJzdXBlcmFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNTJjNDk4MGUtNzA1MC0xMWU5LWIyMzItMDY5YWI4YmJhZjQ2In0.IXTEsiuDa3fYINbatF4ZehO74aYC0WePZ4032oVddtU

Mitigation / Fix

  1. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). You may need to regenerate the token, either using OIDC or as a service account token via kubectl create token.

  2. Remove the sensitive data from the source code or committed configuration file. Avoid hardcoded JWT token, and instead place it in a 'secrets vault', or use another source instead of writing it in code or in a configuration file under version control.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference

https://kubernetes.io/docs/reference/access-authn-authz/authentication