catalog logoThe IAM Privilege Catalog

services / Google Cloud / ServiceAccounts

A Kubernetes service account is a machine identity for Kubernetes workloads. It provides an authentication mechanism for applications and processes running within a Kubernetes cluster. Service accounts are primarily used to authenticate requests made to the Kubernetes API server.

Each service account has a unique token associated with it, which is used to authenticate requests. This token is automatically mounted as a secret within the container running the workload, and workloads (such as Pods) use it to authenticate against the Kubernetes API server. The token is a long-lived token, however, it is re-created each time the Pods are re-created. Service accounts may also hold an `imagePullSecret` object used to authenticate against a container image repository.

container.​serviceAccounts.​update

An update may remove or add more secrets. In particular, a removal may remove the imagePullSecret of service account or the Kubernetes API secret.

Risks

  1. Infrastructure destruction (HIGH)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​kubernetes.​io/​docs/​tasks/​configure-​pod-​container/​configure-​service-​account

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog