services / Kubernetes / ServiceAccounts
A Kubernetes service account is a machine identity for Kubernetes workloads. It provides an authentication mechanism for applications and processes running within a Kubernetes cluster. Service accounts are primarily used to authenticate requests made to the Kubernetes API server.
Each service account has a unique token associated with it, which is used to authenticate requests. This token is automatically mounted as a secret within the container running the workload, and workloads (such as Pods) use it to authenticate against the Kubernetes API server. The token is a long-lived token, however, it is re-created each time the Pods are re-created. Service accounts may also hold an `imagePullSecret` object used to authenticate against a container image repository.
core/serviceaccounts.update
An update may remove or add more secrets. In particular, a removal may remove the imagePullSecret of service account or the Kubernetes API secret.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security