Best practices

K8S API server configuration does not contain service-account-lookup

Risk Level

Informational (4)

Platform(s)
  • N/A

Compliance Frameworks

Description

If --service-account-lookup is not enabled, the apiserver only verifies that the authentication token is valid, and does not validate that the service account token mentioned in the request is actually present in etcd. This allows using a service account token even after the corresponding service account is deleted. Orca has detected that the '--service-account-lookup' parameter is not enabled.
  • Recommended Mitigation

    It is recommended to set the '--service-account-lookup' parameter in the configuration file to true.