Service account (SA) represents an application identity in Kubernetes. By default, an SA is mounted to every created pod in the cluster. Using the SA, containers in the pod can send requests to the Kubernetes API server. Attackers who get access to a pod can access the SA token (located in /var/run/secrets/kubernetes.io/serviceaccount/token
) and perform actions in the cluster, according to the SA permissions. If RBAC is not enabled, the SA has unlimited permissions in the cluster. If RBAC is enabled, its permissions are determined by the RoleBindings / ClusterRoleBindings that are associated with it.
Create a pod that has a ServiceAccount assigned which has relevant permissions:
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
serviceAccount: secret-reader
containers:
- image: nginx
name: my-pod
$ kubectl exec -it my-pod -- cat /var/run/secrets/kubernetes.io/serviceaccount/token
eyJhbGciOiJSUzI1N...1TfYOhsf0oBcA-7B5-s2PIqtVouW7YOcw
Please note that starting with Kubernetes 1.24, tokens for service accounts are no longer bound to a secret and the above technique is only exploitable for an attacker if the mounted service account token actually has any permissions attached to it.