add k8s-apiserver-service-account-lookup

[songyaeji]

Template / PR Information

When --service-account-lookup=true is set, the API server will perform service account lookup behavior which can have security implications depending on cluster configuration. Review whether this behavior is required.

• References:
• https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
• Cloud Vulnerability Assessment Guide(2024) by KISA

Template Validation

I've validated this template locally?

• [x] YES
• [ ] NO

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server

[Akokonunes]

Hello @songyaeji Thank you for sharing this template with the community. Works after correcting matcher structure (condition: and inside matcher block). Tested on Kind cluster successfully.

[princechaddha]

Thank you for your contribution but looks like we already have a template for this check, k8s-svc-acct-lookup-set.yaml in the same directory.

Also, the logic here would alert when --service-account-lookup=true is present but that is actually the secure default (it ensures deleted tokens get immediately revoked). The existing template correctly checks for when it is missing or disabled.

Closing this as a duplicate. If you believe I missed something, feel free to reopen.