lacework-global-776

Disable authentication using Client Certificates (Automated)

Description

Disable Client Certificates, which require certificate rotation, for authentication. Instead, use another authentication method like OpenID Connect.

Remediation

Note: In Google Kubernetes Engine (GKE) v1.8 and later, legacy Attribute-Based Access Control (ABAC) is default disabled, and the client certificate is not granted permissions.

While it is possible to create a client certificate for use with Role-Based Access Control (RBAC), you should avoid this in favour of other authentication methods.

See: https://cloud.google.com/kubernetes-engine/docs/how-to/api-server-authentication for more details

Note: Lacework does not support Autopilot mode clusters, so the remediation only considers the standard mode cluster option.

Currently, there is no way to remove a client certificate from an existing cluster, thus you must create a new cluster.

Using Google Cloud Console:

1. Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.
2. Click CREATE CLUSTER, and choose CONFIGURE for the Standard mode cluster.
3. Configure the cluster as required then click Security under CLUSTER in the navigation pane.
4. Ensure that the Issue a client certificate checkbox is not ticked.
5. Click CREATE.

Using Command Line:

Create a new cluster without a Client Certificate:

gcloud container clusters create <cluster_name> --no-issue-client-certificate

References

https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict_authn_methods
https://cloud.google.com/kubernetes-engine/docs/how-to/api-server-authentication#disabling_authentication_with_a_client_certificate
https://cloud.google.com/kubernetes-engine/docs/how-to/api-server-authentication