Create ServiceAccount Tokens (ClusterRole for any SA in any namespace)
Spoofing
Critical
Overview
| Field | Value |
|---|---|
| ID | 1048 |
| Name | Create ServiceAccount Tokens (ClusterRole for any SA in any namespace) |
| Risk Category | Spoofing |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | authentication.k8s.io |
| Resources | serviceaccounts/token |
| Verbs | create |
| Tags | CredentialAccess Impersonation PrivilegeEscalation Spoofing TokenCreation |
Description
Permits creating tokens for any ServiceAccount in any namespace. This is highly critical as it allows an attacker to generate tokens for highly privileged ServiceAccounts (e.g., those bound to cluster-admin), leading to impersonation, credential access, and full privilege escalation.
Abuse Scenarios
- Create a new service account token for any service account in any namespace.
kubectl create token <serviceaccount-name> -n <namespace>
# Example: kubectl create token default -n kube-system
- Create a new service account token for a privileged service account (e.g., ‘kube-controller-manager’).
kubectl create token kube-controller-manager -n kube-system