Create ServiceAccount Tokens
Spoofing
Critical
Overview
| Field | Value |
|---|---|
| ID | 1047 |
| Name | Create ServiceAccount Tokens |
| Risk Category | Spoofing |
| Risk Level | Critical |
| Role Type | Role |
| API Groups | authentication.k8s.io |
| Resources | serviceaccounts/token |
| Risky Verb Combinations | [create] |
| Tags | CredentialAccess Impersonation PotentialPrivilegeEscalation Spoofing TokenCreation |
Description
Allows creating tokens for ServiceAccounts within a specific namespace. If a ServiceAccount has powerful permissions, creating a token for it allows impersonating that ServiceAccount, leading to potential privilege escalation, credential access, and spoofing.
Abuse Scenarios
- Create a new service account token for a specific service account.
kubectl create token <serviceaccount-name> -n <namespace>
# Example: kubectl create token default -n default
- Create a new service account token with a specific expiration time.
kubectl create token <serviceaccount-name> -n <namespace> --duration=1h
# Example: kubectl create token my-app-sa -n production --duration=24h