PlatformResourcesSign inSign Up

Ensure client certificate authentication to Kubernetes Engine Clusters is disabled

Error: GCP Kubernetes engine clusters have client certificate enabled

Bridgecrew Policy ID: BC_GCP_KUBERNETES_8
Checkov Check ID: CKV_GCP_13
Severity: LOW

Suggest Edits

GCP Kubernetes engine clusters have client certificate enabled

Description

Kubernetes uses client certificates, bearer tokens, an authenticating proxy, HTTP basic auth or OAuth app to authenticate API requests through authentication plugins. As HTTP requests are made to the API server, plugins attempt to associate the following attributes with the request.

We recommend you ensure Kubernetes engine clusters are authenticated using OAuth method and not using client certificates as before after service latest upgrade.

Fix - Buildtime

Terraform

resource "google_container_cluster" "primary" {
  name               = "marcellus-wallace"
  location           = "us-central1-a"
  initial_node_count = 3
  master_auth {
    client_certificate_config {
      issue_client_certificate = false
    }
  }
  node_config {
    # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
    service_account = google_service_account.default.email
    oauth_scopes = [
      "https://www.googleapis.com/auth/cloud-platform"
    ]
    labels = {
      foo = "bar"
    }
    tags = ["foo", "bar"]
  }
  timeouts {
    create = "30m"
    update = "40m"
  }
}

Updated about 2 months ago