1.1.20 Ensure that the --token-auth-file parameter is not set

Information

Do not use token based authentication.

Rationale:

The token-based authentication utilizes static tokens to authenticate requests to the apiserver. The tokens are stored in clear-text in a file on the apiserver, and cannot be revoked or rotated without restarting the apiserver. Hence, do not use static token-based authentication.

Solution

Follow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file '/etc/kubernetes/manifests/kube-apiserver.yaml' on the master node and remove the '--token-auth-file=' parameter.

Impact:

You will have to configure and use alternate authentication mechanisms such as certificates. Static token based authentication could not be used.

See Also

https://workbench.cisecurity.org/files/2125

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(c), CSCv6|16.14

Plugin: Unix

Control ID: 2e1da9b4c9181231524a0b3ef7de9264822dbbe8bedca1dbc204a61b02875a3b