iCompaas Support

Profile Applicability:

• Level 1
  
  

Description:

Service account token authentication is a mechanism used in Kubernetes for service accounts to authenticate to the API server. However, using service account tokens for user authentication is not recommended, as it bypasses the intended use of service accounts and creates security risks, such as shared credentials and less granular access control. Instead, users should authenticate using more secure and scalable methods, such as OpenID Connect (OIDC) or integrated identity management systems (e.g., AWS IAM or LDAP).

Rationale:

Service account tokens are designed for use by applications and services within the cluster, not for human user authentication. Allowing users to authenticate using service account tokens can introduce security vulnerabilities, such as lack of user-specific access control, shared credentials, and difficulties in auditing user actions. Modern authentication methods provide better user identification, access control, and auditability, enhancing cluster security.

Impact:

Pros:

• Improves security by ensuring users authenticate through appropriate mechanisms (e.g., OIDC, IAM).
  

• Enables more granular access control and audit logging for user actions.
  

• Reduces the risk of users obtaining service account tokens with broader privileges.
  

Cons:

• Requires transitioning users to a more scalable and modern authentication method, which may require configuration changes.
  

Default Value:

Service account token authentication is typically not enabled by default for users in most secure Kubernetes setups. However, it may be used if not explicitly configured to disable it.

Pre-requisites:

• The Kubernetes cluster should be configured to use alternative authentication methods, such as OIDC or IAM.
  

• Users should be migrated to an identity management system that supports more scalable authentication.
  

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Navigate to your EKS Cluster.
   

3. Go to the Kubernetes API server configuration.
   

4. Verify that service account token authentication is not enabled for user authentication and that an alternative authentication method (like OIDC or IAM) is used.
   

Using AWS CLI:

Run the following AWS CLI command to describe your EKS cluster's configuration:

aws eks describe-cluster --name <cluster-name> --query "cluster.config"

1. Ensure that service account token authentication is not listed as the authentication method for users.
   

Implementation Plan

Using AWS Console:

1. Navigate to the EKS cluster in the AWS Console.
   

2. Under the Cluster Configuration section, review the authentication settings.
   

3. Disable service account token authentication for users and enable a more modern authentication method (e.g., OIDC, IAM).
   

4. Save the configuration and apply the changes.
   

Using AWS CLI:

Update the authentication settings to disable service account token authentication and enable an alternative method:

aws eks update-cluster-config --name <cluster-name> --kubernetes-version <kubernetes-version> --enable-oidc-authentication

Backout Plan

Using AWS Console:

1. Navigate to the EKS cluster's API server configuration.
   

2. If necessary, revert the configuration to re-enable service account token authentication.
   

3. Save the configuration and redeploy the cluster.
   

Using AWS CLI:

If issues occur, revert the change using:

aws eks update-cluster-config --name <cluster-name> --kubernetes-version <kubernetes-version> --enable-service-account-token-authentication

References:

• Kubernetes Authentication Documentation
  EKS Cluster Management