1.1.3 Ensure that the --insecure-allow-any-token argument is not set

Information

Do not allow any insecure tokens

Rationale:

Accepting insecure tokens would allow any token without actually authenticating anything. User information is parsed from the token and connections are allowed.

Solution

Edit the API server pod specification file '/etc/kubernetes/manifests/kube-apiserver.yaml' on the master node and remove the '--insecure-allow-any-token' parameter.

Impact:

None

See Also

https://workbench.cisecurity.org/files/2125

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2, CSCv6|16

Plugin: Unix

Control ID: ab7ac152bfae66d19cae3145074388e80a9d636a29d4264e4e56bee6f945161a