Information
Kubernetes provides the option to use client certificates for user authentication. However as there is no way to revoke these certificates when a user leaves an organization or loses their credential, they are not suitable for this purpose.
It is not possible to fully disable client certificate use within a cluster as it is used for component to component authentication.
With any authentication mechanism the ability to revoke credentials if they are compromised or no longer required, is a key control. Kubernetes client certificate authentication does not allow for this due to a lack of support for certificate revocation.
Solution
Configure an identity provider for the OpenShift cluster following the OpenShift
documentation
. Once an identity provider has been defined, you can use RBAC to define and apply permissions.
After you define an identity provider and create a new cluster-admin user you can reduce the attack surface by removing the default kubeadmin user.
Impact:
External mechanisms for authentication generally require additional software to be deployed.