Kubernetes Clusters must be created with Client Certificate enabled

ID

gcp_client_certificate_disabled

Severity

high

Vendor

GCP

Resource

Network

Tags

reachable

Description

master_auth must have client_certificate_config with the attribute issue_client_certificate equal to true. It protects communication between the cluster components.

To fix it, you must configure the master_auth property of the cluster and ensure issue_client_certificate property under client_certificate_config is true.

Learn more about this topic at Creating a private cluster.

Learn more about this topic at About Cloud SQL backups.

Examples

- name: create a cluster
  google.cloud.gcp_container_cluster:
    name: cluster
    initial_node_count: 1
    master_auth:
      username: cluster_root
      password: secret-password
      client_certificate_config:
        issue_client_certificate: no
    node_config:
      machine_type: n1-standard-4
      disk_size_gb: 500
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present

Mitigation / Fix

- name: create a cluster
  google.cloud.gcp_container_cluster:
    name: cluster
    initial_node_count: 1
    master_auth:
      username: cluster_root
      password: my-secret-password
      client_certificate_config:
        issue_client_certificate: yes
    node_config:
      machine_type: n1-standard-4
      disk_size_gb: 500
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present