iCompaas Support

Profile Applicability:

• Level 1

Description:

Bootstrap token authentication is a mechanism primarily used during the initial setup and bootstrapping of Kubernetes clusters to authenticate the API server with worker nodes during node joining. It is not intended for use by regular users. Allowing bootstrap token authentication for users introduces security risks, as these tokens have limited expiration times and are designed for one-time use during the initial cluster setup, making them unsuitable for continuous user authentication.

Rationale:

Bootstrap tokens are meant for short-lived, temporary use during cluster initialization. Using them for user authentication can lead to severe security risks, such as unauthorized access or untracked user actions. It is crucial to use more secure and scalable authentication methods, such as OpenID Connect (OIDC), AWS IAM, or LDAP, for regular users to ensure proper access control, auditability, and security.

Impact:

Pros:

• Improves security by ensuring that only appropriate, secure authentication mechanisms are used for user access.
  

• Prevents potential unauthorized access through expired or misused bootstrap tokens.
  

• Ensures a proper identity management and access control system for users.
  

Cons:

• Requires transitioning users from bootstrap token-based authentication to a more appropriate method, which may require configuration and management changes.
  

Default Value:

Bootstrap token authentication is enabled by default for initial cluster bootstrapping but should be disabled for user authentication in secure environments.

Pre-requisites:

• A secure, scalable authentication mechanism (such as OIDC or IAM) should be configured and available for users.
  

• Bootstrap tokens should only be used during the cluster bootstrapping process and not for regular user authentication.
  

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Navigate to your EKS Cluster.
   

3. Go to the Kubernetes API server configuration.
   

4. Verify that bootstrap token authentication is not enabled for users and that an appropriate authentication method (like OIDC or IAM) is used.
   

Using AWS CLI:

Run the following AWS CLI command to describe your EKS cluster's configuration:

aws eks describe-cluster --name <cluster-name> --query "cluster.config"

1. Ensure that bootstrap token authentication is not listed as the authentication method for users.
   

Implementation Plan

Using AWS Console:

1. Navigate to the EKS cluster in the AWS Console.
   

2. Under the Cluster Configuration section, review the authentication settings.
   

3. Disable bootstrap token authentication for users and enable a more appropriate authentication method (e.g., OIDC, IAM).
   

4. Save the configuration and apply the changes.
   

Using AWS CLI:

Update the authentication settings to disable bootstrap token authentication and enable an alternative method:

aws eks update-cluster-config --name <cluster-name> --kubernetes-version <kubernetes-version> --enable-oidc-authentication

Backout Plan

Using AWS Console:

1. Navigate to the EKS cluster's API server configuration.
   

2. If necessary, revert the configuration to re-enable bootstrap token authentication.
   

3. Save the configuration and redeploy the cluster.
   

Using AWS CLI:

If issues occur, revert the change using:

aws eks update-cluster-config --name <cluster-name> --kubernetes-version <kubernetes-version> --enable-bootstrap-token-authentication

References:

• Kubernetes Authentication Documentation
  

• EKS Cluster Management