STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Kubernetes Security Technical Implementation Guide

V-245543

CAT I (High)

Kubernetes API Server must disable token authentication to protect information in transit.

Rule ID

SV-245543r961632_rule

STIG

Kubernetes Security Technical Implementation Guide

Version

V2R6

CCIs

CCI-002448

Discussion

Kubernetes token authentication uses password known as secrets in a plaintext file. This file contains sensitive information such as token, username and user uid. This token is used by service accounts within pods to authenticate with the API Server. This information is very valuable for attackers with malicious intent if the service account is privileged having access to the token. With this token a threat actor can impersonate the service account gaining access to the Rest API service.

Check Content

Change to the /etc/kubernetes/manifests/ directory on the Kubernetes Control Plane. Run the command:
grep -i token-auth-file * 

If "--token-auth-file" is set in the Kubernetes API server manifest file, this is a finding.

Fix Text

Edit the Kubernetes API Server manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Control Plane. 

Remove the setting "--token-auth-file".