Check: CNTR-K8-002630
Kubernetes STIG:
CNTR-K8-002630
(in versions v2 r2 through v1 r11)
Title
Kubernetes API Server must disable token authentication to protect information in transit. (Cat I impact)
Discussion
Kubernetes token authentication uses password known as secrets in a plaintext file. This file contains sensitive information such as token, username and user uid. This token is used by service accounts within pods to authenticate with the API Server. This information is very valuable for attackers with malicious intent if the service account is privileged having access to the token. With this token a threat actor can impersonate the service account gaining access to the Rest API service.
Check Content
Change to the /etc/kubernetes/manifests/ directory on the Kubernetes Control Plane. Run the command: grep -i token-auth-file * If "--token-auth-file" is set in the Kubernetes API server manifest file, this is a finding.
Fix Text
Edit the Kubernetes API Server manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Control Plane. Remove the setting "--token-auth-file".
Additional Identifiers
Rule ID: SV-245543r961632_rule
Vulnerability ID: V-245543
Group Title: SRG-APP-000439-CTR-001080
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002448 |
Distribute asymmetric cryptographic keys using: NSA-approved key management technology and processes; prepositioned keying material; DoD-approved or DoD-issued Medium Assurance PKI certificates; DoD-approved or DoD-issued Medium Hardware Assurance PKI certificates and hardware security tokens that protect the user's private key; or certificates issued in accordance with organization-defined requirements. |
Controls
Number | Title |
---|---|
SC-12(3) |
Asymmetric Keys |