5.8.1 Ensure Basic Authentication using static passwords is Disabled

Information

Disable Basic Authentication (basic auth) for API server authentication as it uses static passwords which need to be rotated.

Rationale:

Basic Authentication allows a user to authenticate to a Kubernetes cluster with a username and static password which is stored in plaintext (without any encryption). Disabling Basic Authentication will prevent attacks like brute force and credential stuffing. It is recommended to disable Basic Authentication and instead use another authentication method such as OpenID Connect.

GKE manages authentication via gcloud using the OpenID Connect token method, setting up the Kubernetes configuration, getting an access token, and keeping it up to date. This means Basic Authentication using static passwords and Client Certificate authentication, which both require additional management overhead of key management and rotation, are not necessary and should be disabled.

When Basic Authentication is disabled, you will still be able to authenticate to the cluster with other authentication methods, such as OpenID Connect tokens. See also Recommendation 6.8.2 to disable authentication using Client Certificates.

Solution

Using Google Cloud Console

Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list

Select the Kubernetes cluster for which Basic Authentication is currently enabled

Click on EDIT

Set 'Basic authentication' to 'Disabled'

Click SAVE.

Using Command Line

To update an existing cluster and disable Basic Authentication by removing the static password:

gcloud container clusters update [CLUSTER_NAME] \
--no-enable-basic-auth

Impact:

Users will no longer be able to authenticate with a static password. You will have to configure and use alternate authentication mechanisms, such as OpenID Connect tokens.

Default Value:

Clusters created from GKE version 1.12 have Basic Authentication and Client Certificate issuance disabled by default.

See Also

https://workbench.cisecurity.org/files/2764