K8S API server configuration allows token-based authentication


It was found that the API server allows token-based authentication. Those tokens are stored in cleartext in the api server and can't be revoked or rotated without restarting the api server.
  • Recommended Mitigation

    It is recommended to verify that the '--token-auth-file' does not exist in the configuration file.