That Time I Found a Service Account Token in my Log Files, with Vincent von Büren

You're integrating HashiCorp Vault into your Kubernetes cluster and adding a temporary debug log line to check whether the ServiceAccount token is being passed correctly. Three months later, that log line is still in production — and the token it prints has a 1-year expiry with no audience restrictions.

Vincent von Büren, a platform engineer at ipt in Switzerland, lived through exactly this incident. In this episode, he breaks down why default Kubernetes ServiceAccount tokens are a quiet security risk hiding in plain sight.

You will learn:

• What's actually inside a Kubernetes ServiceAccount JWT (issuer, subject, audience, and expiry)

• Why tokens with no audience scoping enable replay attacks across internal and external systems

• How Vault's Kubernetes auth method and JWT auth method compare, and when to choose each

• What projected tokens are, why they dramatically reduce blast radius, and what's holding teams back from using them

• Practical steps for auditing which pods actually need API access and disabling auto-mounting everywhere else

Sponsor

This episode is sponsored by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person or remote training.

More info

• Find all the links and info for this episode here: https://ku.bz/LTnB_Ntbc

• Interested in sponsoring an episode? Learn more.