5.8.2 Ensure authentication using Client Certificates is Disabled

Information

Disable Client Certificates, which require certificate rotation, for authentication. Instead, use another authentication method like OpenID Connect.

Rationale:

With Client Certificate authentication, a client presents a certificate that the API server verifies with the specified Certificate Authority. In GKE, Client Certificates are signed by the cluster root Certificate Authority. When retrieved, the Client Certificate is only base64 encoded and not encrypted.

GKE manages authentication via gcloud for you using the OpenID Connect token method, setting up the Kubernetes configuration, getting an access token, and keeping it up to date. This means Basic Authentication using static passwords and Client Certificate authentication, which both require additional management overhead of key management and rotation, are not necessary and should be disabled.

When Client Certificate authentication is disabled, you will still be able to authenticate to the cluster with other authentication methods, such as OpenID Connect tokens. See also Recommendation 6.8.1 to disable authentication using static passwords, known as Basic Authentication.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Currently, there is no way to remove a client certificate from an existing cluster. Thus a new cluster must be created.

Using Google Cloud Console

Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list

Click CREATE CLUSTER

Configure as required and the click on 'Availability, networking, security, and additional features' section

Ensure that the 'Issue a client certificate' checkbox is not ticked

Click CREATE.

Using Command Line

Create a new cluster without a Client Certificate:

gcloud container clusters create [CLUSTER_NAME] \
--no-issue-client-certificate

Impact:

Users will no longer be able to authenticate with the pre-provisioned x509 certificate. You will have to configure and use alternate authentication mechanisms, such as OpenID Connect tokens.

Default Value:

Clusters created from GKE version 1.12 have Basic Authentication and Client Certificate issuance disabled by default.

See Also

https://workbench.cisecurity.org/files/2764