Information
Disable Basic Authentication (basic auth) for API server authentication as it uses static passwords which need to be rotated.
Rationale:
Basic Authentication allows a user to authenticate to a Kubernetes cluster with a username and static password which is stored in plaintext (without any encryption). Disabling Basic Authentication will prevent attacks like brute force and credential stuffing. It is recommended to disable Basic Authentication and instead use another authentication method such as OpenID Connect.
GKE manages authentication via gcloud using the OpenID Connect token method, setting up the Kubernetes configuration, getting an access token, and keeping it up to date. This means Basic Authentication using static passwords and Client Certificate authentication, which both require additional management overhead of key management and rotation, are not necessary and should be disabled.
When Basic Authentication is disabled, you will still be able to authenticate to the cluster with other authentication methods, such as OpenID Connect tokens. See also Recommendation 6.8.2 to disable authentication using Client Certificates.
Solution
Using Google Cloud Console
Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list
Select the Kubernetes cluster for which Basic Authentication is currently enabled
Click on EDIT
Set 'Basic authentication' to 'Disabled'
Click SAVE.
Using Command Line
To update an existing cluster and disable Basic Authentication by removing the static password:
gcloud container clusters update [CLUSTER_NAME] \
--no-enable-basic-auth
Impact:
Users will no longer be able to authenticate with a static password. You will have to configure and use alternate authentication mechanisms, such as OpenID Connect tokens.
Default Value:
Clusters created from GKE version 1.12 have Basic Authentication and Client Certificate issuance disabled by default.