Service account lookup set to false
This product is not supported for your selected
Datadog site. (
).
Id: a5530bd7-225a-48f9-91bb-f40b04200165
Cloud Provider: k8s
Platform: Kubernetes
Severity: High
Category: Access Control
Learn More
Description
When using kube-apiserver
, the --service-account-lookup
flag should be set to true
. This rule flags containers (including initContainers
) that run kube-apiserver
and explicitly set --service-account-lookup=false
. Disabling this lookup skips verification that a token’s service account still exists, which can allow tokens for deleted or revoked service accounts to be accepted; therefore the flag should be enabled (true
).
Compliant Code Examples
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
command: ["kube-apiserver"]
args: ["--service-account-lookup=true"]
restartPolicy: OnFailure
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
command: ["kube-apiserver"]
args: []
restartPolicy: OnFailure
Non-Compliant Code Examples
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
command: ["kube-apiserver"]
args: ["--service-account-lookup=false"]
restartPolicy: OnFailure