catalog logoThe IAM Privilege Catalog

services / Google Cloud / ServiceAccounts

A Kubernetes service account is a machine identity for Kubernetes workloads. It provides an authentication mechanism for applications and processes running within a Kubernetes cluster. Service accounts are primarily used to authenticate requests made to the Kubernetes API server.

Each service account has a unique token associated with it, which is used to authenticate requests. This token is automatically mounted as a secret within the container running the workload, and workloads (such as Pods) use it to authenticate against the Kubernetes API server. The token is a long-lived token, however, it is re-created each time the Pods are re-created. Service accounts may also hold an `imagePullSecret` object used to authenticate against a container image repository.

container.​serviceAccounts.​createToken

Allows sending a TokenRequest to the API server. This request issues a new token and binds the token to a service account. The token is also returned to the caller, allowing it to act as the service account bound to that token.

Risks

  1. Lateral movement (BOOST)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​kubernetes.​io/​docs/​tasks/​configure-​pod-​container/​configure-​service-​account
  • https:​/​/​kubernetes.​io/​docs/​reference/​generated/​kubernetes-​api/​v1.​26/​#​tokenrequestspec-​v1-​authentication-​k8s-​io
  • https:​/​/​securitylabs.​datadoghq.​com/​articles/​kubernetes-​tokenrequest-​api/​

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog