1.1.3 Ensure that the --basic-auth-file argument is not set

Information

Do not use basic authentication.

Rationale:

Basic authentication uses plaintext credentials for authentication. Currently, the basic authentication credentials last indefinitely, and the password cannot be changed without restarting API server. The basic authentication is currently supported for convenience. Hence, basic authentication should not be used.

Solution

Follow the documentation and configure alternate mechanisms for authentication. Then, edit the `/etc/kubernetes/apiserver` file on the master node and remove the `'--basic-auth-file='` argument from the `KUBE_API_ARGS` parameter. Based on your system, restart the `kube-apiserver` service. For example: `systemctl restart kube-apiserver.service`

Impact:

You will have to configure and use alternate authentication mechanisms such as tokens and certificates. Username and password for basic authentication could no more be used.

See Also

https://workbench.cisecurity.org/files/1738

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(c), CSCv6|16.14

Plugin: Unix

Control ID: cbf2f2a3b4b603839e270df41d75721e30a68f7a2ccdc1143432b19e1147eaf6