GCP Kubernetes engine clusters have client certificate disabled
Description
Kubernetes uses client certificates, bearer tokens, an authenticating proxy, HTTP basic auth or OAuth app to authenticate API requests through authentication plugins. As HTTP requests are made to the API server, plugins attempt to associate the following attributes with the request. We recommend you ensure Kubernetes engine clusters are authenticated using OAuth method and not using client certificates as before after service latest upgrade.
Code Example
go
{
"resource "google_container_cluster" "primary" {
name = "marcellus-wallace"
location = "us-central1-a"
initial_node_count = 3
master_auth {
client_certificate_config {
issue_client_certificate = false
}
}
node_config {
# Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
service_account = google_service_account.default.email
oauth_scopes = [
"https://www.googleapis.com/auth/cloud-platform"
]
labels = {
foo = "bar"
}
tags = ["foo", "bar"]
}
timeouts {
create = "30m"
update = "40m"
}
}
",
}Remediation
Terraform
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0873 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_GCP_13 |