1.1.3 Ensure that the --insecure-allow-any-token argument is not set

Information

Do not allow any insecure tokens

Rationale:

Accepting insecure tokens would allow any token without actually authenticating anything. User information is parsed from the token and connections are allowed.

Solution

Edit the API server pod specification file '/etc/kubernetes/manifests/kube-apiserver.yaml' on the master node and remove the '--insecure-allow-any-token' parameter.

See Also

https://workbench.cisecurity.org/files/2421

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2, CSCv6|16

Plugin: Unix

Control ID: d54cd8f4ff696caa9747be035f8babcbac445ed114c91309951ab7f251ea65f0