Ensure that the –token-auth-file parameter is not set
| Property | |
|---|---|
| Language |  |
| Severity |  |
Description#
The Kubernetes API server is configured with the –token-auth-file parameter, enabling static token-based authentication, which is insecure and not recommended. This approach lacks robust management and revocation features, increasing the risk of unauthorized access.
Impact#
If exploited, attackers could authenticate to the Kubernetes API server using static tokens, potentially gaining unauthorized access to cluster resources. Compromised tokens are difficult to revoke, increasing the risk of persistent unauthorized control or data exposure.
Resolution#
Follow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and remove the –token-auth-file= parameter.