No Legacy Authentication | Vulnerability Database

Legacy client authentication methods utilized.

It is recommended to use Service Accounts and OAuth as authentication methods for accessing the master in the container cluster.

Basic authentication should be disabled by explicitly unsetting the username and password on the master_auth block.

Impact

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Use service account or OAuth for authentication

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33


resource "google_service_account" "default" {
  account_id   = "service-account-id"
  display_name = "Service Account"
}

resource "google_container_cluster" "good_example" {
  name     = "my-gke-cluster"
  location = "us-central1"

  # We can't create a cluster with no node pool defined, but we want to only use
  # separately managed node pools. So we create the smallest possible default
  # node pool and immediately delete it.
  remove_default_node_pool = true
  initial_node_count       = 1
}

resource "google_container_node_pool" "primary_preemptible_nodes" {
  name       = "my-node-pool"
  location   = "us-central1"
  cluster    = google_container_cluster.primary.name
  node_count = 1

  node_config {
    preemptible  = true
    machine_type = "e2-medium"

    # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
    service_account = google_service_account.default.email
    oauth_scopes = [
      "https://www.googleapis.com/auth/cloud-platform"
    ]
  }
}

Remediation Links

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#master_auth