An error occurred:

Check: CNTR-K8-002630

Kubernetes STIG: CNTR-K8-002630 (in version v1 r11)

Title

Kubernetes API Server must disable token authentication to protect information in transit. (Cat I impact)

Discussion

Kubernetes token authentication uses password known as secrets in a plaintext file. This file contains sensitive information such as token, username and user uid. This token is used by service accounts within pods to authenticate with the API Server. This information is very valuable for attackers with malicious intent if the service account is privileged having access to the token. With this token a threat actor can impersonate the service account gaining access to the Rest API service.

Check Content

Change to the /etc/kubernetes/manifests/ directory on the Kubernetes Control Plane. Run the command: grep -i token-auth-file * If "--token-auth-file" is set in the Kubernetes API server manifest file, this is a finding.

Fix Text

Edit the Kubernetes API Server manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Control Plane. Remove the setting "--token-auth-file".

Additional Identifiers

Rule ID: SV-245543r927259_rule

Vulnerability ID: V-245543

Group Title: SRG-APP-000439-CTR-001080

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002448

The organization distributes asymmetric cryptographic keys using: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; or approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user^s private key.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-12 (3)

Asymmetric Keys