Back to all scenarios
Scenario #208
Security
K8s v1.22, DigitalOcean

Service Account Token Compromise

A compromised service account token was used to gain unauthorized access to the cluster's API server.

Find this helpful?
What Happened

A service account token was leaked through an insecure deployment configuration, allowing attackers to gain unauthorized access to the Kubernetes API server.

Diagnosis Steps
  • 1Analyzed the audit logs and identified that the compromised service account token was being used to make API calls.
  • 2Inspected the deployment YAML and found that the service account token was exposed as an environment variable.
Root Cause

Exposing the service account token in environment variables allowed it to be compromised.

Fix/Workaround
• Rotated the service account token and updated the deployment to prevent exposure.
• Used Kubernetes secrets management to securely store sensitive tokens.
Lessons Learned

Never expose sensitive tokens or secrets through environment variables or unsecured channels.

How to Avoid
  • 1Use Kubernetes Secrets to store sensitive information securely.
  • 2Regularly rotate service account tokens and audit access logs for suspicious activity.
Previous ScenarioNext Scenario