Token Exposure Analysis¶
This document analyzes the risks associated with service account token exposure in the Secure CINC Auditor Kubernetes Container Scanning solution, and the mitigations implemented to address these risks.
Token Exposure Risks¶
Service account tokens are used to authenticate with the Kubernetes API server. If exposed, these tokens could potentially allow unauthorized access to Kubernetes resources.
Limited Token Capabilities¶
If a token is exposed, the attacker can only:
- List pods in the target namespace
- Execute commands in specifically allowed containers
- View logs of specifically allowed containers
The token cannot be used to:
- Create, modify, or delete any resources
- Access any other containers
- Access any cluster-wide information
- Escalate privileges
Potential Token Exposure Scenarios¶
CI/CD Pipeline Exposure¶
Scenario: Tokens stored in CI/CD variables are exposed through pipeline logs or configuration.
Mitigations:
- Short-lived tokens generated for each pipeline run
- Masked variables in CI/CD systems
- Tokens automatically expire after pipeline completion
- Just-in-time token generation
Scanner Process Compromise¶
Scenario: The scanner process itself is compromised, exposing the token it uses.
Mitigations:
- Token has minimal permissions through RBAC
- Token expires automatically (default: 15 minutes)
- Network policies restrict token usage
- Comprehensive audit logging of token usage
Log Exposure¶
Scenario: Tokens are accidentally logged in debug output or error messages.
Mitigations:
- Sanitized logging to prevent token logging
- Token format detection in log pipelines
- Automatic token revocation if detected in logs
- Log access restrictions
Network Interception¶
Scenario: Tokens are intercepted during transmission between components.
Mitigations:
- TLS encryption for all API communication
- Internal Kubernetes DNS for service communication
- Network policies restricting communication paths
- Token bound to specific service accounts
Time-Limited Token Implementation¶
A key mitigation for token exposure is the use of short-lived tokens:
This token:
- Automatically expires after 15 minutes
- Is bound to a specific pod
- Cannot be used from other contexts
- Does not need manual revocation
RBAC Limitations¶
The following RBAC configuration limits what can be done with an exposed token:
This configuration:
- Limits access to specific pods
- Only allows execution, not modification
- Is namespace-scoped
- Provides no access to secrets or other resources
Token Storage Recommendations¶
To minimize token exposure risk:
- Ephemeral Storage: Store tokens in memory, not on disk
- Environment Variables: Use environment variables instead of files when possible
- Secure Distribution: Implement secure token distribution mechanisms
- No Caching: Generate new tokens for each operation, don't cache tokens
- Masked Variables: Mask tokens in CI/CD variables and logs
Token Exposure Detection¶
Mechanisms to detect potential token exposure:
- Audit Logging: Enable comprehensive API server audit logging
- Usage Monitoring: Monitor token usage patterns for anomalies
- Access Analysis: Analyze access patterns for unusual behavior
- Failed Authentication Monitoring: Alert on multiple failed authentication attempts
CI/CD System Integration¶
Best practices for token handling in CI/CD systems:
- Masked Variables: Configure CI/CD systems to mask token values
- Pipeline-scoped Tokens: Generate unique tokens for each pipeline run
- Token Rotation: Rotate service accounts regularly
- Just-in-Time Generation: Generate tokens only when needed, not in advance
- Post-pipeline Cleanup: Ensure tokens are not persisted after pipeline completion
Approach-Specific Considerations¶
All scanning approaches use the same token mechanism with similar exposure risks and mitigations. There are no significant differences in token handling between approaches.
Related Documentation¶
- Attack Vectors - Analysis of general attack vectors
- Lateral Movement - Analysis of lateral movement risks
- Threat Mitigations - Comprehensive mitigation strategies
- Ephemeral Credentials - Details on ephemeral credential implementation