1.2.3 Ensure that the --token-auth-file parameter is not set

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Do not use token based authentication.

Rationale:

The token-based authentication utilizes static tokens to authenticate requests to the apiserver. The tokens are stored in clear-text in a file on the apiserver, and cannot be revoked or rotated without restarting the apiserver. Hence, do not use static token-based authentication.

Solution

Follow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and remove the --token-auth-file=<filename> parameter.

Impact:

You will have to configure and use alternate authentication mechanisms such as certificates. Static token based authentication could not be used.

Default Value:

By default, --token-auth-file argument is not set.

References:

https://kubernetes.io/docs/admin/authentication/#static-token-file

https://kubernetes.io/docs/admin/kube-apiserver/

See Also

https://workbench.cisecurity.org/files/2662

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv6|16.14, CSCv7|16.4

Plugin: Unix

Control ID: 264bcf2009e490e14a4e7087c509ce4503cf62b630dce00c313fe4b05bbeac21