Back to all scenarios
Scenario #253
Security
K8s v1.20, On-Premise

Exposed Service Account Token in Pod

A service account token was mistakenly exposed in a pod, allowing attackers to gain unauthorized access to the Kubernetes API.

Find this helpful?
What Happened

A developer mistakenly included the service account token in a pod environment variable, making it accessible to anyone with access to the pod. The token was then exploited by attackers to gain unauthorized access to the Kubernetes API.

Diagnosis Steps
  • 1Inspected the pod configuration and identified that the service account token was stored in an environment variable.
  • 2Monitored the API server logs and detected unauthorized API calls using the exposed token.
Root Cause

Service account token was inadvertently exposed in the pod's environment variables, allowing attackers to use it for unauthorized access.

Fix/Workaround
• Removed the service account token from the environment variable and stored it in a more secure location (e.g., as a Kubernetes Secret).
• Reissued the service account token and rotated the credentials to mitigate potential risks.
Lessons Learned

Never expose sensitive credentials like service account tokens in environment variables or in pod specs.

How to Avoid
  • 1Store sensitive data, such as service account tokens, in secure locations (Secrets).
  • 2Regularly audit pod configurations to ensure no sensitive information is exposed.
Previous ScenarioNext Scenario