Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Compliance > Kubernetes > CIS - GKE 1.2.0 > Managed Services >

Authentication and Authorization

N/A
Source
Kube Bench
ID
5.8
Version
gke-1.2.0

5.8 Authentication and Authorization

5.8.1 Ensure Basic Authentication using static passwords is Disabled (Automated)

Using Command Line: To update an existing cluster and disable Basic Authentication by removing the static password:

gcloud container clusters update [CLUSTER_NAME] \
  --no-enable-basic-auth

5.8.2 Ensure authentication using Client Certificates is Disabled (Automated)

Using Command Line: Create a new cluster without a Client Certificate:

gcloud container clusters create [CLUSTER_NAME] \
  --no-issue-client-certificate

5.8.3 Manage Kubernetes RBAC users with Google Groups for GKE (Manual)

Using Command Line: Follow the G Suite Groups instructions at https://cloud.google.com/kubernetes- engine/docs/how-to/role-based-access-control#google-groups-for-gke.

Then, create a cluster with

gcloud beta container clusters create my-cluster \
  --security-group="gke-security-groups@[yourdomain.com]"

Finally create Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings that reference your G Suite Groups.

5.8.4 Ensure Legacy Authorization (ABAC) is Disabled (Automated)

Using Command Line: To disable Legacy Authorization for an existing cluster, run the following command:

gcloud container clusters update [CLUSTER_NAME] \
  --zone [COMPUTE_ZONE] \
  --no-enable-legacy-authorization

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use