nuclei-templates icon indicating copy to clipboard operation
nuclei-templates copied to clipboard

add k8s-apiserver-service-account-lookup

Open songyaeji opened this issue 6 months ago • 1 comments

Template / PR Information

When --service-account-lookup=true is set, the API server will perform service account lookup behavior which can have security implications depending on cluster configuration. Review whether this behavior is required.

  • References:
  • https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
  • Cloud Vulnerability Assessment Guide(2024) by KISA

Template Validation

I've validated this template locally?

  • [x] YES
  • [ ] NO

Additional References:

songyaeji avatar Oct 10 '25 16:10 songyaeji

Hello @songyaeji Thank you for sharing this template with the community. Works after correcting matcher structure (condition: and inside matcher block). Tested on Kind cluster successfully.

Akokonunes avatar Oct 29 '25 08:10 Akokonunes

Thank you for your contribution but looks like we already have a template for this check, k8s-svc-acct-lookup-set.yaml in the same directory.

Also, the logic here would alert when --service-account-lookup=true is present but that is actually the secure default (it ensures deleted tokens get immediately revoked). The existing template correctly checks for when it is missing or disabled.

Closing this as a duplicate. If you believe I missed something, feel free to reopen.

princechaddha avatar Nov 05 '25 08:11 princechaddha