This issue was reported in the Kubernetes Security Audit Report

Description
Credential paths should not be hardcoded within the source code of an application. Paths should be configurable through a standard configuration interface to allow an operator to specify file paths.

// InClusterConfig returns a config object which uses the service account
// kubernetes gives to pods. It's intended for clients that expect to be
// running inside a pod running on kubernetes. It will return ErrNotInCluster
// if called from a process not running in a kubernetes environment.
func InClusterConfig() (*Config, error) {
    const (
        tokenFile  = "/var/run/secrets/kubernetes.io/serviceaccount/token"
        rootCAFile = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
    )

Figure 21.1: An example hardcoded token and certificate path from vendor/k8s.io/client-go/rest/config.go

Exploit Scenario
Alice configures a cluster with the token and root Certificate Authority (CA) files in another location. Eve realizes that the locations expected by code are different, and inserts a malicious token and root CA, allowing her to take over the cluster.

Recommendation
Short term, implement a configuration method for credential paths. Avoid relying on hardcoded paths.

Long term, consider generalizing the path default to allow for cross-platform configurations. By not detecting the underlying host system, paths may fail to resolve to the correct location appropriately.

Anything else we need to know?:

See #81146 for current status of all issues created from these findings.

The vendor gave this issue an ID of TOB-K8S-006 and it was finding 23 of the report.

The vendor considers this issue Low Severity.

To view the original finding, begin on page 64 of the Kubernetes Security Review Report

Environment:

• Kubernetes version: 1.13.4