GCP Kubernetes Engine Clusters Client Certificate Is Set To Disabled

This policy identifies Kubernetes Engine Clusters which have disabled Client Certificate. A client certificate is a base64-encoded public certificate used by clients to authenticate to the cluster endpoint. Enabling Client Certificate will provide more security to authenticate users to the cluster.

Policy Details

Policy Subtype
Run, Build
Severity
Low
Template Type
Terraform

Build Rules

GCP Kubernetes Engine Clusters Client Certificate is set to Disabled.
JSON Query:
$.resource[*].google_container_cluster[*].*.*.master_auth[*].client_certificate_config[*].issue_client_certificate anyTrue
Recommendation:
Recommended solution to enable GCP Kubernetes Engine Clusters client certificate.
Ensure that GCP Kubernetes Engine Clusters Client Certificate is enabled. Please make sure that if the template has "issue_client_certificate" under "client_certificate_config", it is set to true.
For example:
"google_container_cluster": [ { "<container_cluster_name>": [ { "initial_node_count": 1, "location": "us-central1", "master_auth": [ { "client_certificate_config": [ { "issue_client_certificate": true } ], "password": "", "username": "" } ], "name": "my-gke-cluster", "remove_default_node_pool": true } ] } ]

Run Rule Recommendation

GCP Kubernetes Clusters Client Certificate can be enabled only at the time of creation of clusters. So to fix this alert, create a new cluster with Client Certificate enabled and then migrate all required cluster data or containers from the reported cluster to this new cluster.
To create the cluster with Client Certificate enabled, perform following steps:.
  1. Login to GCP Portal.
  2. Go to Kubernetes Engine (Left Panel).
  3. Select Kubernetes clusters.
  4. Click on 'CREATE CLUSTER'.
  5. Set the 'Client certificate' to Enabled.
  6. Click on 'Create'.

Compliance

There are 10 standards that are applicable to this policy:
  • ISO 27001:2013
  • HITRUST CSF v9.3
  • HIPAA
  • SOC 2
  • CIS v1.0.0 (GCP)
  • PIPEDA
  • CSA CCM v3.0.1
  • PCI DSS v3.2
  • NIST 800-53 Rev4
  • CCPA 2018

Recommended For You