Kubernetes Engine Clusters must have Legacy Authorization set to disabled

ID

gcp_gke_legacy_authorization_enabled

Severity

high

Vendor

GCP

Resource

AIM

Tags

non-reachable

Description

GKE Legacy Authorization is a feature that allows you to use Kubernetes RBAC (Role-Based Access Control) to authorize access to the Kubernetes API server. It is not recommended for production use because it grants broad permissions to all authenticated users.

The default status for GKE Legacy Authorization depends on the version of your GKE cluster. For clusters with version 1.8 or higher, GKE Legacy Authorization is disabled by default. For clusters with version 1.7 or lower, legacy_abac is enabled by default.

To fix it, you must set enabled as false for the legacy_abac property.

Learn more about this topic at Authenticating to the Kubernetes API server.

Examples

---
- name: Create a GKE cluster with Legacy Authorization disabled
  gcp_container_cluster:
    name: my-cluster
    initial_node_count : 1
    node_config:
      machine_type : n1-standard-1
      oauth_scopes :
        - https://www.googleapis.com/auth/cloud-platform
      disk_size_gb : 100
      preemptible : yes
      tags :
        - http-server
        - https-server
        - cloud-sql-proxy
      metadata :
        disable-legacy-endpoints : "true"
        enable-oslogin : "true"
        enable-osconfig : "true"
        enable-shielded-nodes : "true"
        enable-guest-attributes : "true"
      labels :
        env : dev
      image_type : COS_CONTAINERD
      sandbox_config :
        type : gvisor
      shielded_instance_config :
        enable_secure_boot : true
        enable_integrity_monitoring : true
      workload_metadata_config :
        node_metadata : SECURE
        mode : GKE_METADATA_SERVER
        workload_pool: "{{ project }}.svc.id.goog"
    legacy_abac:
      enabled: false
    location: "{{ zone }}"
    project: "{{ project }}"
    auth_kind: "{{ auth_kind }}"
    service_account_file: "{{ service_account_file }}"
    state: "present"
    register: gke_cluster

Mitigation / Fix

---
- name: Create a GKE cluster with Legacy Authorization disabled
  gcp_container_cluster:
    name: my-cluster
    initial_node_count : 1
    node_config:
      machine_type : n1-standard-1
      oauth_scopes :
        - https://www.googleapis.com/auth/cloud-platform
      disk_size_gb : 100
      preemptible : yes
      tags :
        - http-server
        - https-server
        - cloud-sql-proxy
      metadata :
        disable-legacy-endpoints : "true"
        enable-oslogin : "true"
        enable-osconfig : "true"
        enable-shielded-nodes : "true"
        enable-guest-attributes : "true"
      labels :
        env : dev
      image_type : COS_CONTAINERD
      sandbox_config :
        type : gvisor
      shielded_instance_config :
        enable_secure_boot : true
        enable_integrity_monitoring : true
      workload_metadata_config :
        node_metadata : SECURE
        mode : GKE_METADATA_SERVER
        workload_pool: "{{ project }}.svc.id.goog"
    legacy_abac:
      enabled: false
    location: "{{ zone }}"
    project: "{{ project }}"
    auth_kind: "{{ auth_kind }}"
    service_account_file: "{{ service_account_file }}"
    state: "present"
    register: gke_cluster