1.2.3 Ensure that the --token-auth-file parameter is not set - KubeApiServers

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Do not use token based authentication.

Rationale:

The token-based authentication utilizes static tokens to authenticate requests to the apiserver. The tokens are stored in clear-text in a file on the apiserver, and cannot be revoked or rotated without restarting the apiserver. Hence, do not use static token-based authentication.

Impact:

OpenShift does not use the token-auth-file flag. OpenShift includes a built-in OAuth server rather than relying on a static token file. The OAuth server is integrated with the API server.

Solution

None is required.

Default Value:

By default, --token-auth-file argument is not set and OAuth authentication is configured.

See Also

https://workbench.cisecurity.org/files/4260