GCP008 - Legacy client authentication methods utilized.

Written by tfsec

Explanation

It is recommended to use Serivce Accounts and OAuth as authentication methods for accessing the master in the container cluster.

Basic authentication should be disabled by explicitly unsetting the username and password on the master_auth block.

Insecure Example

The following example will fail the GCP008 check.

resource "google_container_cluster" "bad_example" {
}

resource "google_container_cluster" "gke" {
	master_auth {
	    username = ""
	    password = ""
		client_certificate_config {
			issue_client_certificate = true
	    }
	}
}

Secure Example

The following example will pass the GCP008 check.

resource "google_container_cluster" "good_example" {
	master_auth {
	    username = ""
	    password = ""
	}
}

Related Links

• https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict_authn_methods

• https://www.terraform.io/docs/providers/google/r/container_cluster.html#master_auth

---