NCC-E003660-47W: Loopback Token Usable Externally

This issue was reported in the Kubernetes 1.24 Security Audit Report

Impact
If an external attacker were able to obtain the API server’s loopback token, they could use
it to obtain access with system:masters privileges.

Description
The Kubernetes API server creates an ephemeral “loopback token” at initialization time.
This is assigned to the system:apiserver user, and is a member of the system:masters
group. It is used by the API server to authenticate when making calls to its own services on
the loopback interface. However, there are no checks in place to ensure that requests
using this token have arrived on the loopback interface, or that they originate from
localhost. It should be noted that no method for an attacker to acquire the loopback token
in order to use it externally was identified - adding these checks is recommended only as a
useful additional layer of defense in depth.

Recommendation
Add checks to ensure that the loopback token is only accepted for authentication on the
API server’s loopback interface.

Component
kube-apiserver

Anything else we need to know?
See umbrella issue #118980 for current status of all issues created from these findings.
The vendor gave this issue an ID of NCC-E003660-47W and it was finding 11 of the report under the kube-apiserver section.
The vendor considers this issue Low Risk, High Impact, Undetermined Exploitability
To view the original finding, begin on page 33 of the Kubernetes 1.24 Security Audit Report

Test Environment
Kubernetes 1.24.3