---
title: >-
  Kubernetes API server service account token extended expiration should be
  disabled
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Kubernetes API server service account
  token extended expiration should be disabled
---

# Kubernetes API server service account token extended expiration should be disabled
 
## Description{% #description %}

By default (`--service-account-extend-token-expiration=true`), the kube-apiserver silently extends the lifetime of projected service account tokens up to one year when an admission-injected legacy client is still using them. The flag was introduced as a migration aid for the bound service account token rollout, not as a long-term security posture, and it widens the window in which a stolen token remains valid. CIS Kubernetes v2.0.0 recommends disabling the extension so tokens fully honor their requested expiration; workloads that need longer-lived credentials should migrate to projected service account token volumes with explicit `expirationSeconds`.

## Remediation{% #remediation %}

Edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on each master node and set the parameter:

`--service-account-extend-token-expiration=false`

Restart the API server pod for the change to take effect.