Cluster Master Authentication Disabled

ID

gcp_cluster_master_authentication_disabled

Severity

high

Vendor

GCP

Resource

APPLICATION SECURITY

Tags

reachable

Description

The master_auth parameter is used to configure the authentication and authorization of the cluster master. It has two fields: username and password, which are used for basic authentication. This way, restrict access to your cluster master and improve security.

To fix it, you must configure the master_auth property of the cluster using a username and password parameters for authentication.

Learn more about this topic at Creating a private cluster.

NOTE: A higher security recommendation is to disable basic authentication and use other methods of authenticate. See gcp_gke_basic_authentication_enabled detector also.

Examples

---
- name: create a cluster
  google.cloud.gcp_container_cluster:
    name: cluster
    initial_node_count: 1
    master_auth:
      username: cluster_admin
    node_config:
      machine_type: n1-standard
      disk_size_gb: 500
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present

Mitigation / Fix

---
- name: create a cluster
  google.cloud.gcp_container_cluster:
    name: cluster
    initial_node_count: 1
    master_auth:
      username: cluster_admin
      password: passwd
    node_config:
      machine_type: n1-standard
      disk_size_gb: 500
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present