Google Kubernetes Engine (GKE) Basic Authentication must be disabled

ID

gcp_gke_basic_authentication_enabled

Severity

high

Vendor

GCP

Resource

Network

Tags

reachable

Description

The master_auth parameter is used to configure the authentication and authorization of the cluster master. It has two fields: username and password, which are used for basic authentication. This way, restrict access to your cluster master and improve security.

It is recommended to disable basic authentication and use other methods of authenticate, to do that the username and password provided in the master_auth block must be empty.

To fix it, you must configure the master_auth property of the cluster and username and password parameters with both an empty string.

Learn more about this topic at Creating a private cluster.

Examples

---
- name: create a cluster
  google.cloud.gcp_container_cluster:
    name: cluster
    initial_node_count: 1
    master_auth:
      username: cluster_admin
      password: ''
    node_config:
      machine_type: n1-standard
      disk_size_gb: 500
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present

Mitigation / Fix

---
- name: create a cluster
  google.cloud.gcp_container_cluster:
    name: my-cluster
    initial_node_count: 1
    master_auth:
      username: ''
      password: ''
    node_config:
      machine_type: n1-standard-4
      disk_size_gb: 500
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present