For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-kyp.md. A documentation index is available at /llms.txt.

Kubernetes API server service account token extended expiration should be disabled

kubernetes

Description

By default (--service-account-extend-token-expiration=true), the kube-apiserver silently extends the lifetime of projected service account tokens up to one year when an admission-injected legacy client is still using them. The flag was introduced as a migration aid for the bound service account token rollout, not as a long-term security posture, and it widens the window in which a stolen token remains valid. CIS Kubernetes v2.0.0 recommends disabling the extension so tokens fully honor their requested expiration; workloads that need longer-lived credentials should migrate to projected service account token volumes with explicit expirationSeconds.

Remediation

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on each master node and set the parameter:

--service-account-extend-token-expiration=false

Restart the API server pod for the change to take effect.