Create ServiceAccount Tokens (ClusterRole for any SA in any namespace)
Spoofing
Critical
Overview
| Field | Value |
|---|---|
| ID | 1048 |
| Name | Create ServiceAccount Tokens (ClusterRole for any SA in any namespace) |
| Risk Category | Spoofing |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | authentication.k8s.io |
| Resources | serviceaccounts/token |
| Verbs | create |
| Tags | CredentialAccess Impersonation PrivilegeEscalation Spoofing TokenCreation |
Description
Permits creating tokens for any ServiceAccount in any namespace. This is highly critical as it allows an attacker to generate tokens for highly privileged ServiceAccounts (e.g., those bound to cluster-admin), leading to impersonation, credential access, and full privilege escalation.