Skip to content

Kubeflow Service Account Key

Service Name: Kubeflow

Service Description: Kubeflow is an open-source machine learning platform designed to make deployments of ML workflows on Kubernetes simple, portable, and scalable. It provides a straightforward way to deploy best-of-breed open-source systems for ML to diverse infrastructures.

Service Address: https://www.kubeflow.org/

Validation Type: API Auth

IP Allow list: IP restrictions can be implemented at the Kubernetes cluster level using Network Policies or through the cloud provider's security groups if running on cloud infrastructure.

Secret Access Scope: Grants programmatic access to Kubeflow resources and services within a Kubernetes cluster. Depending on the permissions assigned to the service account, it may allow management of pipelines, notebooks, training jobs, and other ML workloads.

Secret Revokement URL: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#delete-a-service-account

Secret Example: Kubeflow Service Account Key

Suspicious Activity Investigation Instructions:

  • Review Kubernetes audit logs for unusual API calls or resource access.
  • Check for unauthorized access to Kubeflow pipelines, notebooks, or other resources.
  • Monitor for unusual job submissions or resource creation in the Kubeflow environment.
  • Examine network traffic patterns for unusual data transfers or API calls.
  • Review cloud provider logs if Kubeflow is deployed on a cloud platform.

Mitigation Instructions:

  • Immediately revoke the compromised service account key by deleting the service account or rotating its credentials.
  • For GCP-based Kubeflow deployments:
  • Navigate to the Google Cloud Console IAM section.
  • Locate the service account and disable or delete it.
  • Create a new service account with appropriate permissions if needed.
  • For Kubernetes-based deployments:
  • Use kubectl delete serviceaccount <account-name> -n <namespace> to remove the compromised service account.
  • Create a new service account with appropriate RBAC permissions.
  • Review and update RBAC policies to enforce the Principle of Least Privilege.
  • Implement network policies to restrict service account access to only necessary resources.
  • Enable audit logging for all Kubeflow components to better monitor future activity.