Ensure the --service-account-lookup argument is set to True

Error: The --service-account-lookup argument is not set to True

Bridgecrew Policy ID: BC_K8S_72
Checkov Check ID: CKV_K8S_96
Severity: HIGH

The --service-account-lookup argument is not set to True


Validate service account before validating token.
If --service-account-lookup is not enabled, the apiserver only verifies that the authentication token is valid, and does not validate that the service account token mentioned in the request is actually present in etcd. This allows using a service account token even after the corresponding service account is deleted. This is an example of time of check to time of use security issue.

Fix - Buildtime


  • Kind: Pod
apiVersion: v1
kind: Pod
  creationTimestamp: null
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
  - command:
+   - kube-apiserver
+   - --service-account-lookup=true
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0