Profile applicability: Level 1 - Master Node
By default Kubernetes extends service account token lifetimes to one year to aid in
transition from the legacy token settings.
This default setting is not ideal for security as it ignores other settings related
to maximum token lifetime and means that a lost or stolen credential could be valid
for an extended period of time.
 |
NoteBy default, this parameter is set to
true. |
Impact
Disabling this setting means that the service account token expiry set in the cluster
will be enforced, and service account tokens will expire at the end of that time frame.
Audit
Run the following command on the Control Plane node:
ps -ef | grep kube-apiserver
Verify that the --service-account-extend-token-expiration argument is set to false.
Remediation
Edit the API server pod specification file
/etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --service-account-extend-token-expiration parameter to false.--service-account-extend-token-expiration=false