1.1.20 Ensure that the --token-auth-file parameter is not set

Information

Do not use token based authentication.

Rationale:

The token-based authentication utilizes static tokens to authenticate requests to the apiserver. The tokens are stored in clear-text in a file on the apiserver, and cannot be revoked or rotated without restarting the apiserver. Hence, do not use static token-based authentication.

Solution

Follow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file '/etc/kubernetes/manifests/kube-apiserver.yaml' on the master node and remove the '--token-auth-file=' parameter.

See Also

https://workbench.cisecurity.org/files/2421

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, 800-53|IA-5(1), CSCv6|16.14, CSCv7|16.4

Plugin: Unix

Control ID: e4cf371224bbd481d0792ba48b71e008e4210a12d5dc49b6c5976dcd0418f4d9