Kubernetes Clusters must be created with Client Certificate enabled
ID |
gcp_client_certificate_disabled |
Severity |
high |
Vendor |
GCP |
Resource |
Network |
Tags |
reachable |
Description
master_auth
must have client_certificate_config
with the attribute issue_client_certificate
equal to true. It protects communication between the cluster components.
To fix it, you must configure the master_auth
property of the cluster and ensure issue_client_certificate
property under client_certificate_config
is true.
Learn more about this topic at Creating a private cluster.
Learn more about this topic at About Cloud SQL backups.
Examples
- name: create a cluster
google.cloud.gcp_container_cluster:
name: cluster
initial_node_count: 1
master_auth:
username: cluster_root
password: secret-password
client_certificate_config:
issue_client_certificate: no
node_config:
machine_type: n1-standard-4
disk_size_gb: 500
location: us-central1-a
project: test_project
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
Mitigation / Fix
- name: create a cluster
google.cloud.gcp_container_cluster:
name: cluster
initial_node_count: 1
master_auth:
username: cluster_root
password: my-secret-password
client_certificate_config:
issue_client_certificate: yes
node_config:
machine_type: n1-standard-4
disk_size_gb: 500
location: us-central1-a
project: test_project
auth_kind: serviceaccount
service_account_file: /tmp/auth.pem
state: present