GCP Kubernetes Engine Clusters Basic Authentication Is Set To Enabled

This policy identifies Kubernetes Engine Clusters which have enabled Basic authentication. Basic authentication allows a user to authenticate to the cluster with a username and password. Disabling Basic authentication will prevent attacks like brute force. Authenticate using client certificate or IAM.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

GCP Kubernetes Engine Clusters Basic Authentication is set to Enabled.
JSON Query:
$.resource.*.google_container_cluster.*.*.*.master_auth exists and not ($.resource.*.google_container_cluster.*.*.*.master_auth.*.password is empty and $.resource.*.google_container_cluster.*.*.*.master_auth.*.username is empty)
Recommendation:
Recommended solution to disable GCP Kubernetes Engine Clusters Basic Authentication.
Ensure that GCP Kubernetes Engine Clusters Basic Authentication is disabled. Please make sure that username and password are either not present or if present, their value is empty.
For example:
"google_container_cluster": [ { "<container_cluster_name>": [ { "initial_node_count": 1, "location": "us-central1", "master_auth": [ { "username": "x", "password": "y" } ], "name": "my-gke-cluster", "remove_default_node_pool": true } ] } ]

Run Rule Recommendation

  1. Login to GCP Portal.
  2. Go to Kubernetes Engine (Left Panel).
  3. Select Kubernetes clusters.
  4. From the list of clusters, choose the reported cluster.
  5. Click on EDIT button.
  6. Set 'Basic Authentication' to Disabled.
  7. Click on Save.

Compliance

There are 5 standards that are applicable to this policy:
  • ISO 27001:2013
  • HIPAA
  • CIS v1.0.0 (GCP)
  • PIPEDA
  • CCPA 2018

Recommended For You