Profile Applicability:
Level 1
Description:
Ensure that the --token-auth-file parameter is not set in the Kubernetes API server configuration. This parameter, when enabled, specifies a file containing tokens used for authenticating users. Using token files for authentication can introduce security risks, as token files may be susceptible to exposure or misuse. It is recommended to disable this parameter and use more secure authentication mechanisms like client certificates or an identity provider.
Rationale:
The --token-auth-file parameter allows the Kubernetes API server to authenticate users based on tokens listed in a file. However, this method can expose tokens to unauthorized users and lacks the granularity and security features provided by more modern authentication methods, such as OAuth, OpenID, or client certificates. Disabling this parameter helps ensure more secure authentication mechanisms are used.
Impact:
Pros:
Improves security by disabling the use of potentially insecure token-based authentication.
Encourages the use of stronger, more flexible authentication mechanisms (e.g., OAuth, identity providers).
Cons:
If token-based authentication is currently in use, disabling this parameter may affect user authentication unless a more secure method is configured.
Default Value:
By default, the --token-auth-file parameter is not set, and Kubernetes relies on other methods (such as client certificates or an identity provider) for authentication. This setting must be manually verified to ensure it is disabled.
Pre-Requisites:
Access to the Kubernetes API server configuration.
Sufficient privileges (root or administrator access) to modify the API server flags.
A Kubernetes environment with a secure, modern authentication strategy in place.
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Open the Amazon Elastic Kubernetes Service (EKS) console.
Navigate to the "Clusters" section and locate your cluster.
Review the settings for the --token-auth-file parameter in the API server configuration.
Ensure that the --token-auth-file parameter is not set. If it is set, disable it.
Using AWS CLI:
Retrieve the configuration for the Kubernetes API server:
kubectl get deployment -n kube-system kube-apiserver -o yaml
Check for the presence of the --token-auth-file argument in the API server arguments section. If it is present:
- --token-auth-file=/etc/kubernetes/pki/token-auth-file
Ensure that the --token-auth-file argument is not set. If it is set, remove it or disable it in the configuration.
Implementation Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Open the EKS service and navigate to your cluster.
Review the cluster's configuration for the --token-auth-file argument.
If the --token-auth-file parameter is set, remove it from the configuration:
--token-auth-file=<file-path>
Save and apply the changes to the Kubernetes API server configuration.
Using AWS CLI:
Modify the API server deployment by removing the --token-auth-file argument:
kubectl edit deployment -n kube-system kube-apiserver
In the deployment YAML, locate the command section under the spec for the kube-apiserver container.
Remove the following line from the arguments section:
- --token-auth-file=/etc/kubernetes/pki/token-auth-file
Save and exit the editor to apply the changes.
Backout Plan:
Using AWS Console:
Sign in to the AWS Console.
Open the EKS service and navigate to your cluster.
Locate the API server configuration.
If necessary, revert the change by re-enabling the --token-auth-file parameter with the appropriate file path.
Save and apply the changes to the Kubernetes API server configuration.
Using AWS CLI:
To revert the change, edit the API server deployment and re-enable the --token-auth-file parameter:
kubectl edit deployment -n kube-system kube-apiserver
Add the following line to the configuration:
- --token-auth-file=/etc/kubernetes/pki/token-auth-file
Save and exit the editor to apply the changes.
References:
Kubernetes Authentication Documentation
AWS EKS Documentation