Kubernetes API Server must disable basic authentication to protect information in transit.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-242439	CNTR-K8-002620	SV-242439r712673_rule		High

Description
Kubernetes basic authentication sends and receives request containing username, uid, groups, and other fields over a clear text HTTP communication. Basic authentication does not provide any security mechanisms using encryption standards. PKI certificate-based authentication must be set over a secure channel to ensure confidentiality and integrity. Basic authentication must not be set in the manifest file.

Description

Kubernetes basic authentication sends and receives request containing username, uid, groups, and other fields over a clear text HTTP communication. Basic authentication does not provide any security mechanisms using encryption standards. PKI certificate-based authentication must be set over a secure channel to ensure confidentiality and integrity. Basic authentication must not be set in the manifest file.

STIG	Date
Kubernetes Security Technical Implementation Guide	2021-04-14

Details

Check Text ( C-45714r712671_chk )
Change to the /etc/kubernetes/manifests/ directory on the Kubernetes Master Node. Run the command: grep -i basic-auth-file * If "basic-auth-file" is set in the Kubernetes API server manifest file, or is not configured this is a finding.

Fix Text (F-45672r712672_fix)
Edit the Kubernetes API Server manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Master Node. Remove the setting "--basic-auth-file".