lacework-global-776
Disable authentication using Client Certificates (Automated)
Description
Disable Client Certificates, which require certificate rotation, for authentication. Instead, use another authentication method like OpenID Connect.
Remediation
Note: In Google Kubernetes Engine (GKE) v1.8 and later, legacy Attribute-Based Access Control (ABAC) is default disabled, and the client certificate is not granted permissions.
While it is possible to create a client certificate for use with Role-Based Access Control (RBAC), you should avoid this in favour of other authentication methods.
See: https://cloud.google.com/kubernetes-engine/docs/how-to/api-server-authentication for more details
Note: Lacework does not support Autopilot mode clusters, so the remediation only considers the standard mode cluster option.
Currently, there is no way to remove a client certificate from an existing cluster, thus you must create a new cluster.
Using Google Cloud Console:
- Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.
- Click
CREATE CLUSTER
, and chooseCONFIGURE
for the Standard mode cluster. - Configure the cluster as required then click
Security
underCLUSTER
in the navigation pane. - Ensure that the
Issue a client certificate checkbox
is not ticked. - Click
CREATE
.
Using Command Line:
Create a new cluster without a Client Certificate:
gcloud container clusters create <cluster_name> --no-issue-client-certificate
References
https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict_authn_methods
https://cloud.google.com/kubernetes-engine/docs/how-to/api-server-authentication#disabling_authentication_with_a_client_certificate
https://cloud.google.com/kubernetes-engine/docs/how-to/api-server-authentication