mirror of
https://github.com/projectdiscovery/nuclei-templates.git
synced 2026-01-31 15:53:33 +08:00
43 lines
1.7 KiB
YAML
43 lines
1.7 KiB
YAML
id: k8s-apiserver-token-auth-file
|
|
|
|
info:
|
|
name: Detect kube-apiserver --token-auth-file usage
|
|
author: songyaeji
|
|
severity: high
|
|
description: Detects whether kube-apiserver includes the --token-auth-file startup argument.
|
|
impact: |
|
|
If the API server is started with --token-auth-file, static token file authentication may be allowed, which can enable long-lived or poorly managed tokens and weaken cluster authentication posture.
|
|
remediation: |
|
|
Remove the --token-auth-file argument from the kube-apiserver startup flags (e.g., edit
|
|
/etc/kubernetes/manifests/kube-apiserver.yaml) or ensure any tokens in that file are rotated
|
|
and managed securely. Prefer dynamic, short-lived service account tokens and RBAC.
|
|
reference:
|
|
- https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
|
|
tags: cloud,devops,kubernetes,security,devsecops,api-server,k8s,k8s-cluster-security
|
|
|
|
variables:
|
|
argument: "--token-auth-file"
|
|
|
|
self-contained: true
|
|
code:
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
kubectl get pods -n kube-system -l component=kube-apiserver -o jsonpath="{.items[*].spec.containers[*].command}"
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- 'kube-apiserver'
|
|
|
|
- type: word
|
|
words:
|
|
- "{{argument}}"
|
|
|
|
extractors:
|
|
- type: dsl
|
|
dsl:
|
|
- '"kube-apiserver is configured with " + argument + ". Review and remove if unnecessary."'
|
|
# digest: 490a0046304402200b43f701e6f0a01515ccfbe3581574736f00a1d52d0cb90422a653e03290132402204c19adcd6d7d1fe2591a409eb1cdcc4a93f1755a5e1dbe578c53ff2045ee93b5:922c64590222798bb761d5b6d8e72950 |