C-0114 - Ensure that the API Server --token-auth-file parameter is not set
Description of the the issue
The token-based authentication utilizes static tokens to authenticate requests to the apiserver. The tokens are stored in clear-text in a file on the apiserver, and cannot be revoked or rotated without restarting the apiserver. Hence, do not use static token-based authentication.
What does this control test
Do not use token based authentication.
How to check it manually
Run the following command on the Control Plane node:
ps -ef | grep kube-apiserver
Verify that the
--token-auth-file argument does not exist.
Follow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file
/etc/kubernetes/manifests/kube-apiserver.yaml on the master node and remove the
You will have to configure and use alternate authentication mechanisms such as certificates. Static token based authentication could not be used.
--token-auth-file argument is not set.
Updated 10 days ago