When you create a Container Service for Kubernetes (ACK) cluster, you can enable service account token volume projection to enhance security when you use service accounts. This feature enables kubelet to request and store the token on behalf of the pod, and allows you to configure token properties such as the audience and validity period. If a token has existed for more than 24 hours or only 20% or fewer of its validity period remains, kubelet automatically rotates the token. This topic describes how to configure and use service account token volume projection for a ACK cluster.
- The JSON Web Tokens (JWTs) used by service accounts are not bound to audiences. A user of a service account can masquerade as another user and launch masquerade attacks.
- The service account token is stored in a Secret and delivered as a file to the corresponding node. The service accounts used by system components may be granted unnecessary permissions. This results in a broad attack surface for the Kubernetes control plane. Attackers can obtain the service account used by system components to launch privilege escalation attacks.
- JWTs are not time-bound. A JWT that is compromised in the aforementioned attacks stays valid for as long as the service account exists. You can mitigate the issue only by rotating the signing key of the service account. However, client-go does not support automated key rotation. You must perform manual key rotation, which is complex.
- A Secret must be created for each service account. This may downgrade elasticity and capacity in large-scale workload deployments.
ACK supports the BoundServiceAccountTokenVolume feature to enhance the security of service accounts. This feature enables pods to use a projected volume to mount the service account to a container. This way, the dependency on Secrets is reduced.
Step 1: Enable service account token volume projection
|Parameter||Description||Default||Configuration in the ACK console|
|service-account-issuer||The issuer of the service account token, which corresponds to the iss field in the token payload.||https://kubernetes.default.svc||Supported|
|api-audiences||The identifiers of the API. The identifiers are used to validate the tokens at the apiserver side.||https://kubernetes.default.svc||Supported. You can set one or more audiences. Separate multiple audiences with commas
|service-account-signing-key-file||The file path of the private key that signs the token.||/etc/kubernetes/pki/sa.key||Not supported. Default value: /etc/kubernetes/pki/sa.key.|
Step 2: Use service account token volume projection
kubectl apply -f - <<EOF apiVersion: v1 kind: ServiceAccount metadata: name: build-robot EOF
apiVersion: v1 kind: Pod metadata: name: nginx spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /var/run/secrets/tokens name: vault-token serviceAccountName: build-robot volumes: - name: vault-token projected: sources: - serviceAccountToken: path: vault-token expirationSeconds: 7200 audience: vault
- Make sure that the pod periodically reloads the token when it rotates. This ensures that the pod can obtain the latest token in real time. We recommend that you reload the token once every 5 minutes. client-go 10.0.0 and later versions support automatic reloading to obtain the latest token.
- The permissions of the token file that corresponds to a service account are no longer 644. When BoundServiceAccountTokenVolume is used, the permissions are 600. When fsGroup is used, the permissions are 640.