3.1.1 Client certificate authentication should not be used for users - ClusterRoleBindings

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Kubernetes provides the option to use client certificates for user authentication. However as there is no way to revoke these certificates when a user leaves an organization or loses their credential, they are not suitable for this purpose.

It is not possible to fully disable client certificate use within a cluster as it is used for component to component authentication.

Rationale:

With any authentication mechanism the ability to revoke credentials if they are compromised or no longer required, is a key control. Kubernetes client certificate authentication does not allow for this due to a lack of support for certificate revocation.

Impact:

External mechanisms for authentication generally require additional software to be deployed.

Solution

Configure an identity provider for the OpenShift cluster. Understanding identity provider configuration | Authentication | OpenShift Container Platform 4.5. Once an identity provider has been defined, you can use RBAC to define and apply permissions. After you define an identity provider and create a new cluster-admin user, remove the kubeadmin user to improve cluster security.

Default Value:

By default, only a kubeadmin user exists on your cluster. To specify an identity provider, you must create a Custom Resource (CR) that describes that identity provider and add it to the cluster.

See Also

https://workbench.cisecurity.org/files/4260