Profile Applicability:
Level 1
Description:
Ensure that the --service-account-lookup argument is set to true in the Kubernetes API server configuration. This argument enables the API server to look up service account names during authentication and authorization checks. When set to true, Kubernetes will verify the service account name as part of the authentication process to ensure that the service account is valid and properly authorized.
Rationale:
Enabling the --service-account-lookup argument ensures that the API server properly verifies service account names during authentication and authorization. This helps prevent issues where service account tokens could be accepted for non-existent or unauthorized service accounts, thereby enhancing the security of the cluster by ensuring that only valid and authorized service accounts can authenticate with the API server.
Impact:
Pros:
Enhances security by ensuring that service account names are validated, preventing unauthorized access via invalid service account tokens.
Ensures that service account-related operations are properly authorized and validated.
Cons:
Disabling or misconfiguring this setting could allow invalid or unauthorized service accounts to authenticate, leading to potential security risks or misconfigured access control.
Default Value:
By default, the --service-account-lookup argument may not be set, and service account name validation may be disabled. It must be manually configured to true to enable service account lookup.
Pre-Requisites:
Access to the Kubernetes API server configuration.
Sufficient privileges (root or administrator access) to modify the API server flags.
A Kubernetes environment where service account lookup is required for enhanced security.
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Open the Amazon Elastic Kubernetes Service (EKS) console.
Navigate to the "Clusters" section and locate your cluster.
Review the settings for the --service-account-lookup argument in the API server configuration.
Ensure that the --service-account-lookup argument is set to true.
Using AWS CLI:
Retrieve the configuration for the Kubernetes API server:
kubectl get deployment -n kube-system kube-apiserver -o yaml
Check for the presence of the --service-account-lookup argument in the API server arguments section:
- --service-account-lookup=true
Ensure that the --service-account-lookup argument is set to true. If it is not, update the configuration to enable service account lookup.
Implementation Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Open the EKS service and navigate to your cluster.
Review the cluster's configuration for the --service-account-lookup argument.
If the argument is missing or set incorrectly, update the API server configuration to set --service-account-lookup=true.
Save and apply the changes to the Kubernetes API server configuration.
Using AWS CLI:
Modify the API server deployment by adding or updating the --service-account-lookup=true argument:
kubectl edit deployment -n kube-system kube-apiserver
In the deployment YAML, locate the command section under the spec for the kube-apiserver container.
Add or update the following line to enable service account lookup:
- --service-account-lookup=true
Save and exit the editor to apply the changes.
Backout Plan:
Using AWS Console:
Sign in to the AWS Console.
Open the EKS service and navigate to your cluster.
Locate the API server configuration.
If necessary, revert the change by setting the --service-account-lookup argument to false or restoring the default configuration.
Save and apply the changes to the Kubernetes API server configuration.
Using AWS CLI:
To revert the change, edit the API server deployment to set the --service-account-lookup argument to false:
kubectl edit deployment -n kube-system kube-apiserverUpdate the deployment YAML to include --service-account-lookup=false if needed.
Save and exit the editor to apply the changes.
References:
Kubernetes API Server Configuration
AWS EKS Documentation