1.2.25 Ensure that the --service-account-lookup argument is set to true

Information

Validate service account before validating token.

Rationale:

If --service-account-lookup is not enabled, the apiserver only verifies that the authentication token is valid, and does not validate that the service account token mentioned in the request is actually present in etcd. This allows using a service account token even after the corresponding service account is deleted. This is an example of time of check to time of use security issue.

Impact:

None.

Solution

None.

Default Value:

Service account lookup is enabled by default.

See Also

https://workbench.cisecurity.org/benchmarks/16094

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.7

Plugin: OpenShift

Control ID: 02f4cfc2ce96554cf3e44e428f4c9de63dc1528efa94748fc0d7b90fe6174787