1.2.3 Ensure that the --token-auth-file parameter is not set

Information

Do not use token based authentication.

Rationale:

The token-based authentication utilizes static tokens to authenticate requests to the apiserver. The tokens are stored in clear-text in a file on the apiserver, and cannot be revoked or rotated without restarting the apiserver. Hence, do not use static token-based authentication.

Impact:

OpenShift does not use the token-auth-file flag. OpenShift includes a built-in OAuth server rather than relying on a static token file. The OAuth server is integrated with the API server.

Solution

None is required.

Default Value:

By default, --token-auth-file argument is not set and OAuth authentication is configured.

See Also

https://workbench.cisecurity.org/benchmarks/16094

Item Details

Category: CONFIGURATION MANAGEMENT, MAINTENANCE

References: 800-53|CM-7, 800-53|MA-4, CSCv7|16.4

Plugin: OpenShift

Control ID: 623674f16c28797edcae7c767f2f99eaa1acbd60f8fb70c81094824d2f44468d