Skip to main content

Kubernetes Service Account Token

Description

General

  • Documentation: https://kubernetes.io/docs/reference/access-authn-authz/authentication/

  • Summary: Kubernetes is a system for automating deployment, scaling, and management of containerized applications. JSON Web Tokens are used for authentication in Kubernetes, often for service accounts or short-lived access tokens. These tokens are sensitive as they grant access to Kubernetes clusters and resources.

  • IPs allowlist: As of the time of writing this documentation, IP allowlisting for Kubernetes JWTs depends on the cluster configuration and provider.

  • Scopes: Kubernetes JWTs are tied to specific service accounts or users and inherit their permissions. Access can be limited by defining roles and role bindings in Kubernetes Role-Based Access Control (RBAC).

Revoke the secret

Kubernetes JWTs can be revoked by deleting the associated service account or regenerating the token. For short-lived tokens, expiration ensures automatic revocation.

Check for suspicious activity

Kubernetes logs API requests and authentication events, which can be reviewed to detect suspicious activity.

Details for Kubernetes jwt

  • Family: token

  • Category: other

  • Company: Kubernetes

  • High recall: False

  • Validity check available: False

  • Analyzer available: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 3.14

  • Prefixed: False

  • PreValidators:

- type: FilenameBanlistPreValidator
  banlist_extensions: []
  banlist_filenames: []
  check_binaries: false
  include_default_banlist_extensions: true
  ban_markup: true
- type: ContentWhitelistPreValidator
  patterns:
    - \.ey

Examples

- text: |
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpzdXBlcmFkbWluIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE4OTAwNDQ2ODAsImlzcyI6Imt1YmVybmV0ZXMvc2VydmljZWFjY291bnQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L25hbWVzcGFjZSI6ImRlZmF1bHQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoic3VwZXJhZG1pbi10b2tlbi1jbXc3YyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJzdXBlcmFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNTJjNDk4MGUtNzA1MC0xMWU5LWIyMzItMDY5YWI4YmJhZjQ2In0.IXTEsiuDa3fYINbatF4ZehO74aYC0WePZ4032oVddtU
  token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpzdXBlcmFkbWluIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE4OTAwNDQ2ODAsImlzcyI6Imt1YmVybmV0ZXMvc2VydmljZWFjY291bnQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L25hbWVzcGFjZSI6ImRlZmF1bHQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoic3VwZXJhZG1pbi10b2tlbi1jbXc3YyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJzdXBlcmFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNTJjNDk4MGUtNzA1MC0xMWU5LWIyMzItMDY5YWI4YmJhZjQ2In0.IXTEsiuDa3fYINbatF4ZehO74aYC0WePZ4032oVddtU
# test underscore in K8S JWT
- text: |
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpzdXBlcmFkbWluIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE4OTAwNDQ2ODAsImlzcyI6Imt1YmVybmV0ZXMvc2VydmljZWFjY291bnQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L25hbWVzcGFjZSI6ImRlZmF1bHQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoic3VwZXJhZG1pbi10b2tlbi1jbXc3YyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJzdXBlcmFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNTJjNDk4MGUtNzA1MC0xMWU5LWIyMzItMDY5YWI4YmJhZjQ2In0.IXTEsiuDa3_fYINbatF4ZehO74aYC0WePZ4032oVddtU
  token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpzdXBlcmFkbWluIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE4OTAwNDQ2ODAsImlzcyI6Imt1YmVybmV0ZXMvc2VydmljZWFjY291bnQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L25hbWVzcGFjZSI6ImRlZmF1bHQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoic3VwZXJhZG1pbi10b2tlbi1jbXc3YyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJzdXBlcmFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNTJjNDk4MGUtNzA1MC0xMWU5LWIyMzItMDY5YWI4YmJhZjQ2In0.IXTEsiuDa3_fYINbatF4ZehO74aYC0WePZ4032oVddtU
Last updated on

Something we didn’t cover?

See our Roadmap

Subscribe on GitHub

Submit a request

API status