Ensure authentication using Client Certificates is Disabled

MEDIUM

Description

Description:

Disable Client Certificates, which require certificate rotation, for authentication. Instead, use another authentication method like OpenID Connect.

Rationale:

With Client Certificate authentication, a client presents a certificate that the API server verifies with the specified Certificate Authority. In GKE, Client Certificates are signed by the cluster root Certificate Authority. When retrieved, the Client Certificate is only base64 encoded and not encrypted.

GKE manages authentication via gcloud for you using the OpenID Connect token method, setting up the Kubernetes configuration, getting an access token, and keeping it up to date. This means Basic Authentication using static passwords and Client Certificate authentication, which both require additional management overhead of key management and rotation, are not necessary and should be disabled.

When Client Certificate authentication is disabled, you will still be able to authenticate to the cluster with other authentication methods, such as OpenID Connect tokens. See also Recommendation 6.8.1 to disable authentication using static passwords, known as Basic Authentication.

Users will no longer be able to authenticate with the pre-provisioned x509 certificate. You will have to configure and use alternate authentication mechanisms, such as OpenID Connect tokens.

Remediation

Currently, there is no way to remove a client certificate from an existing cluster. Thus a new cluster must be created.

Using Google Cloud Console

  1. Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list
  2. Click CREATE CLUSTER
  3. Configure as required and the click on 'Availability, networking, security, and additional features' section
  4. Ensure that the 'Issue a client certificate' checkbox is not ticked
  5. Click CREATE.

Using Command Line

Create a new cluster without a Client Certificate:

gcloud container clusters create [CLUSTER_NAME] \
--no-issue-client-certificate