CIS-1.2.2 - Ensure that the API Server --token-auth-file parameter is not set

Ensure that the API Server --token-auth-file parameter is not set

Framework

CIS

Severity

High

Description of the the issue

The token-based authentication utilizes static tokens to authenticate requests to the apiserver. The tokens are stored in clear-text in a file on the apiserver, and cannot be revoked or rotated without restarting the apiserver. Hence, do not use static token-based authentication.

Related resources

Pod

What does this control test

Do not use token based authentication.

How to check it manually

Run the following command on the Control Plane node:

ps -ef | grep kube-apiserver

Verify that the --token-auth-file argument does not exist.

Remediation

Follow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and remove the --token-auth-file=<filename> parameter.

Impact Statement

You will have to configure and use alternate authentication mechanisms such as certificates. Static token based authentication could not be used.

Default Value

By default, --token-auth-file argument is not set.

Example

No example