Google Cloud Kubernetes Engine

Basic Authentication Enabled

Ensures that basic authentication is disabled on all clusters.

Risk Level: High

Description

This plugin ensures that basic authentication is disabled on all GKE clusters. Static passwords are used in basic authentication, which is not the recommended technique for logging onto the Kubernetes API server.
Note: The basic authentication feature has been deprecated and is no longer supported in GKE 1.19 and later versions.

About the Service

Google Cloud Kubernetes Engine:

The Google Cloud Kubernetes Engine is a Kubernetes-based service that includes a control plane, nodes that house pods, and Google Cloud services. It aids in the modernization of your programs by offering a platform for deploying, managing, and scaling containerized applications. The Google Cloud Console or kubectl can be used to interact with this Google Cloud Kubernetes Engine. To know more, read here

Impact

Basic authentication allows a user to connect to the cluster using a username and password that may or may not be secure when sent. PingSafe strongly recommends you use a client certificate or IAM to connect to the cluster.

Steps to Reproduce

Note: Basic authentication can only be accessed through the GCP Command Line Interface (CLI). 

Using GCP CLI-

  1. Using your account credentials, configure the GCP CLI if you haven’t already.
  2. To check if your GKE cluster has basic authentication enabled, run the following command:
  3. gcloud container clusters describe <clustername> --format yaml
  4. If it is enabled, an output similar to the one below will be displayed. 
  5. masterAuth:

      clusterCaCertificate: LS0tL...snip...

      password: MC6OeUR3v8A21W4q

      username: admin
  6. Repeat the steps for all the clusters you want to investigate in the selected project.

Steps for Remediation

Determine whether or not you truly require the basic authentication feature to be enabled for your GKE clusters. If not, make the necessary changes to disable it.

Using GCP CLI-

  1. Using your account credentials, configure the GCP CLI if you haven’t already.
  2. Run the following command to disable basic authentication for the desired cluster.
  3. gcloud container clusters update <cluster-name> --no-enable-basic-auth
  4. Repeat steps for all the clusters you want to reconfigure in your GCP project.