C-0288 - Bootstrap token authentication should not be used for users

Prerequisites

Run Kubescape with host sensor (see here)

Framework

cis-v1.10.0

Severity

Medium

Description of the the issue

Bootstrap tokens are not intended for use as a general authentication mechanism and impose constraints on user and group naming that do not facilitate good RBAC design. They also cannot be used with MFA resulting in a weak authentication mechanism being available.

Related resources

What does this control test

Kubernetes provides bootstrap tokens which are intended for use by new nodes joining the cluster

These tokens are not designed for use by end-users they are specifically designed for the purpose of bootstrapping new nodes and not for general authentication

How to check it manually

Review user access to the cluster and ensure that users are not making use of bootstrap token authentication.

Remediation

Alternative mechanisms provided by Kubernetes such as the use of OIDC should be implemented in place of bootstrap tokens.

Impact Statement

External mechanisms for authentication generally require additional software to be deployed.

Default Value

Bootstrap token authentication is not enabled by default and requires an API server parameter to be set.

Example

No example