1.2.3 Ensure that the --token-auth-file parameter is not set

Information

Do not use token based authentication.

Rationale:

The token-based authentication utilizes static tokens to authenticate requests to the apiserver. The tokens are stored in clear-text in a file on the apiserver, and cannot be revoked or rotated without restarting the apiserver. Hence, do not use static token-based authentication.

Impact:

You will have to configure and use alternate authentication mechanisms such as certificates. Static token based authentication could not be used.

Solution

Follow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and remove the --token-auth-file=<filename> parameter.

Default Value:

By default, --token-auth-file argument is not set.

See Also

https://workbench.cisecurity.org/files/2968

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, 800-53|IA-5(1), CSCv6|16.14, CSCv7|16.4

Plugin: Unix

Control ID: 0aedb1c6babe69ff9e96335223587c9fd01b896f3690ada92a75f5c0f0f412d9