Client Certificate Authentication Should Not Be Used For Users
More Info:
Kubernetes provides the option to use client certificates for user authentication. However as there is no way to revoke these certificates when a user leaves an organization or loses their credential, they are not suitable for this purpose. It is not possible to fully disable client certificate use within a cluster as it is used for component to component authentication.Risk Level
HighAddress
Security, ReliabilityCompliance Standards
CISGKETriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Client Certificate Authentication Should Not Be Used For Users” for GCP using GCP console, follow the below steps:
- Login to the GCP console.
- Navigate to the Cloud Identity-Aware Proxy page.
- Select the project for which you want to remediate the misconfiguration.
- Click on the Edit button for the resource you want to modify.
- Under the “Authentication” section, select the “OAuth” option.
- Next, select the “User-managed” option and click on the “Save” button.
- Verify that the change has been applied by checking that the “Client Certificate” option is no longer selected under the “Authentication” section.
Using CLI
Using CLI
To remediate the misconfiguration “Client Certificate Authentication Should Not Be Used For Users” for GCP using GCP CLI, you can follow the below steps:This command will display the current configuration of the Google Kubernetes Engine (GKE) hub.
- Open the Google Cloud Console and select the project in which you want to make the changes.
- Open the Cloud Shell by clicking on the icon on the top right corner of the console.
- In the Cloud Shell, run the following command to disable client certificate authentication:
- Verify that the authentication mode has been changed by running the following command:
- Ensure that the authentication mode is set to “NONE” for user authentication.
Using Python
Using Python
To remediate the misconfiguration “Client Certificate Authentication Should Not Be Used For Users” in GCP using Python, you can follow the below steps:Replace
- First, you need to check if client certificate authentication is enabled for any user in your GCP project. You can use the following Python code to check this:
- If the above code returns any user who has client certificate authentication enabled, you need to disable it. You can use the following Python code to disable client certificate authentication for a user:
<user-email> with the email address of the user for whom you want to disable client certificate authentication. Replace <role> with the role assigned to the user. Replace <client-certificate-dn> with the distinguished name of the client certificate that the user is using for authentication.- Run the above code to disable client certificate authentication for the user.
- Verify that client certificate authentication is disabled for the user by running the first code snippet again. If it returns no user, then the remediation is successful.