services / Kubernetes / ServiceAccounts
A Kubernetes service account is a machine identity for Kubernetes workloads. It provides an authentication mechanism for applications and processes running within a Kubernetes cluster. Service accounts are primarily used to authenticate requests made to the Kubernetes API server.
Each service account has a unique token associated with it, which is used to authenticate requests. This token is automatically mounted as a secret within the container running the workload, and workloads (such as Pods) use it to authenticate against the Kubernetes API server. The token is a long-lived token, however, it is re-created each time the Pods are re-created. Service accounts may also hold an `imagePullSecret` object used to authenticate against a container image repository.
core/serviceaccounts.createToken
Allows sending a TokenRequest to the API server. This request issues a new token and binds the token to a service account. The token is also returned to the caller, allowing it to act as the service account bound to that token.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security