3.1.1 Client certificate authentication should not be used for users - Authentications


Kubernetes provides the option to use client certificates for user authentication. However as there is no way to revoke these certificates when a user leaves an organization or loses their credential, they are not suitable for this purpose.

It is not possible to fully disable client certificate use within a cluster as it is used for component to component authentication.


With any authentication mechanism the ability to revoke credentials if they are compromised or no longer required, is a key control. Kubernetes client certificate authentication does not allow for this due to a lack of support for certificate revocation.


External mechanisms for authentication generally require additional software to be deployed.


Configure an identity provider for the OpenShift cluster. Understanding identity provider configuration | Authentication | OpenShift Container Platform 4.5. Once an identity provider has been defined, you can use RBAC to define and apply permissions. After you define an identity provider and create a new cluster-admin user, remove the kubeadmin user to improve cluster security.

Default Value:

By default, only a kubeadmin user exists on your cluster. To specify an identity provider, you must create a Custom Resource (CR) that describes that identity provider and add it to the cluster.

See Also


Item Details


References: 800-53|CM-6, 800-53|CM-7

Plugin: OpenShift

Control ID: 5a065325be50fec1d7ef7bff0ac4922457baec9e41c2f9921d2987aa03f3a384