1.1.3 Ensure that the --insecure-allow-any-token argument is not set

Information

Do not allow any insecure tokens

Rationale:

Accepting insecure tokens would allow any token without actually authenticating anything. User information is parsed from the token and connections are allowed.

Solution

Edit the API server pod specification file '/etc/kubernetes/manifests/kube-apiserver.yaml' on the master node and remove the '--insecure-allow-any-token' parameter.

Impact:

None

See Also

https://workbench.cisecurity.org/files/2125

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2, CSCv6|16

Plugin: Unix

Control ID: 990a87b774a681c9eb8c8592c41396e62e2be2a53d62f9faba76e4cedd742156