1.1.4 Ensure that the --insecure-allow-any-token argument is not set

Information

Do not allow any insecure tokens

Rationale:

Accepting insecure tokens would allow any token without actually authenticating anything. User information is parsed from the token and connections are allowed.

Solution

Edit the `/etc/kubernetes/apiserver` file on the master node and remove the `--insecure-allow-any-token` argument from the `KUBE_API_ARGS` parameter. Based on your system, restart the `kube-apiserver` service. For example: `systemctl restart kube-apiserver.service`

Impact:

None

See Also

https://workbench.cisecurity.org/files/1738

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2, CSCv6|16

Plugin: Unix

Control ID: 6f9fbf6497a19ae046ab8edda12a14dce8c45cf638e527f3d7342aa428e33e63