漏洞描述
Detects whether kube-apiserver includes the --token-auth-file startup argument.
k8s-apiserver-token-auth-file: Detect kube-apiserver --token-auth-file usage
PoC代码[已公开]
id: k8s-apiserver-token-auth-file
info:
name: Detect kube-apiserver --token-auth-file usage
author: songyaeji
severity: high
description: Detects whether kube-apiserver includes the --token-auth-file startup argument.
impact: |
If the API server is started with --token-auth-file, static token file authentication may be allowed, which can enable long-lived or poorly managed tokens and weaken cluster authentication posture.
remediation: |
Remove the --token-auth-file argument from the kube-apiserver startup flags (e.g., edit
/etc/kubernetes/manifests/kube-apiserver.yaml) or ensure any tokens in that file are rotated
and managed securely. Prefer dynamic, short-lived service account tokens and RBAC.
reference:
- https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
tags: cloud,devops,kubernetes,security,devsecops,api-server,k8s,k8s-cluster-security
variables:
argument: "--token-auth-file"
self-contained: true
code:
- engine:
- sh
- bash
source: |
kubectl get pods -n kube-system -l component=kube-apiserver -o jsonpath="{.items[*].spec.containers[*].command}"
matchers-condition: and
matchers:
- type: word
words:
- 'kube-apiserver'
- type: word
words:
- "{{argument}}"
extractors:
- type: dsl
dsl:
- '"kube-apiserver is configured with " + argument + ". Review and remove if unnecessary."'
# digest: 490a004630440220406c76857bf007a985f74be4f4f7f85f7f8da773fb9d363ae9deb4995c4155b10220309ba2bba33bee584dc505e418d7ed08ab3aef4beac30fe1888fa3bccba92797:922c64590222798bb761d5b6d8e72950