The API server should use secure authentication methods without token based authentication

문서 > Datadog 보안 > OOTB Rules > The API server should use secure authentication methods without token based authentication

Classification:

compliance

Framework:

cis-kubernetes

Control:

1.2.3

Set up the kubernetes integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

Do not use token based authentication.

Rationale

The token-based authentication utilizes static tokens to authenticate requests to the apiserver. The tokens are stored in clear-text in a file on the apiserver, and cannot be revoked or rotated without restarting the apiserver. Hence, do not use static token-based authentication.

Audit

Run the following command on the master node:

ps -ef | grep kube-apiserver

Verify that the --token-auth-file argument does not exist.

Remediation

Follow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and remove the --token-auth-file=<filename> parameter.

Impact

You will have to configure and use alternate authentication mechanisms such as certificates. Static token based authentication could not be used.

Default value

By default, --token-auth-file argument is not set.

References

CIS controls

Version 6

16.14 Encrypt/Hash All Authentication Files And Monitor Their Access - Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.

Version 7

16.4 Encrypt or Hash all Authentication Credentials - Encrypt or hash with a salt all authentication credentials when stored.