3.1.3 Bootstrap token authentication should not be used for users

Information

Kubernetes provides bootstrap tokens which are intended for use by new nodes joining the cluster

These tokens are not designed for use by end-users they are specifically designed for the purpose of bootstrapping new nodes and not for general authentication

Bootstrap tokens are not intended for use as a general authentication mechanism and impose constraints on user and group naming that do not facilitate good RBAC design. They also cannot be used with MFA resulting in a weak authentication mechanism being available.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Alternative mechanisms provided by Kubernetes such as the use of OIDC should be implemented in place of bootstrap tokens.

Impact:

External mechanisms for authentication generally require additional software to be deployed.

See Also

https://workbench.cisecurity.org/benchmarks/17568