Ensure client certificate authentication to Kubernetes Engine Clusters is disabled

Error: GCP Kubernetes engine clusters have client certificate enabled

Bridgecrew Policy ID: BC_GCP_KUBERNETES_8
Checkov Check ID: CKV_GCP_13
Severity: LOW

GCP Kubernetes engine clusters have client certificate enabled


Kubernetes uses client certificates, bearer tokens, an authenticating proxy, HTTP basic auth or OAuth app to authenticate API requests through authentication plugins. As HTTP requests are made to the API server, plugins attempt to associate the following attributes with the request.

We recommend you ensure Kubernetes engine clusters are authenticated using OAuth method and not using client certificates as before after service latest upgrade.

Fix - Buildtime


resource "google_container_cluster" "primary" {
  name               = "marcellus-wallace"
  location           = "us-central1-a"
  initial_node_count = 3
  master_auth {
    client_certificate_config {
      issue_client_certificate = false
  node_config {
    # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
    service_account = google_service_account.default.email
    oauth_scopes = [
    labels = {
      foo = "bar"
    tags = ["foo", "bar"]
  timeouts {
    create = "30m"
    update = "40m"