lacework-global-726

Do not use client certificate authentication for users (Manual)

Description

Kubernetes provides the option to use client certificates for user authentication. However, as there is no way to revoke these certificates when a user leaves an organization or loses their credentials, they are not suitable for this purpose. It is not possible to fully disable client certificate use within a cluster, as the cluster uses it for component to component authentication.

Remediation

You should implement alternative mechanisms provided by Kubernetes, such as the use of OpenID Connect (OIDC), in place of client certificates.

You can remediate the availability of client certificates in your Google Kubernetes Engine (GKE) cluster.

References

https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks
https://kubernetes.io/docs/reference/access-authn-authz/authentication/

Additional Information

The recent Kubernetes security audit flagged the lack of certificate revocation as a high risk issue. Without this feature, client certificate authentication is not suitable for end users.

Do not use client certificate authentication for users (Manual)​

Description​

Remediation​

References​

Additional Information​

Do not use client certificate authentication for users (Manual)

Description

Remediation

References

Additional Information