Skip to content
Nuclei Templates

Checks if service-account-issuer is correctly configured

ID: k8s-svc-acct-issuer-set

Severity: medium

Author: princechaddha

Tags: cloud,devops,kubernetes,devsecops,api-server,k8s,k8s-cluster-security

Description

Section titled “Description”

Checks if the service-account-issuer argument is correctly configured in the API server, critical for issuing valid service tokens.

YAML Source

Section titled “YAML Source”
id: k8s-svc-acct-issuer-set


info:
  name: Checks if service-account-issuer is correctly configured
  author: princechaddha
  severity: medium
  description: Checks if the service-account-issuer argument is correctly configured in the API server, critical for issuing valid service tokens.
  impact: |
    If the service-account-issuer argument is not set, the API server may issue tokens that are not accepted by other services, leading to authentication failures.
  remediation: |
    Set the service-account-issuer argument to a valid issuer URL in the API server's startup arguments or configuration file. This ensures the tokens issued are trusted across services.
  reference:
    - https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
  tags: cloud,devops,kubernetes,devsecops,api-server,k8s,k8s-cluster-security


variables:
  argument: "service-account-issuer"


self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      kubectl get pods -n kube-system -l component=kube-apiserver -o jsonpath="{.items[*].spec.containers[*].command}"


    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'kube-apiserver'


      - type: word
        words:
          - "service-account-issuer"
        negative: true


    extractors:
      - type: dsl
        dsl:
          - '"API server configuration lacks the " + argument + " argument."'
# digest: 4a0a00473045022100979349abc90ce4e32c16343c9f0da1aa01ff42bf6fb49a77b1dd3865b2e79e6702206b28a3cef6bdd843bc3de19c8e958ab5bfa61a589846317d5a7b94d939f03369:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "cloud/kubernetes/security-compliance/k8s-svc-acct-issuer-set.yaml"

View on Github