3.1.15 Ensure that the --token-auth-file parameter is not set

Information

Do not use token based authentication.

Rationale:

The token-based authentication utilizes static tokens to authenticate requests to the federation apiserver. The tokens are stored in clear-text in a file on the federation apiserver, and cannot be revoked or rotated without restarting the federation apiserver. Hence, do not use static token-based authentication.

Solution

Follow the documentation and configure alternate mechanisms for authentication. Then, edit the deployment specs and remove the '--token-auth-file=' argument.

kubectl edit deployments federation-apiserver-deployment --namespace=federation-system

Impact:

You will have to configure and use alternate authentication mechanisms such as certificates. Static token based authentication could not be used.

See Also

https://workbench.cisecurity.org/files/1788

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(c), CSCv6|16.14

Plugin: Unix

Control ID: a78ffcb50da57594ac75890751e9a61349f34334c6ee6c2d90164a09a1bb73be