K8s client certificate authentication remediation

Using Console

Using CLI

To remediate the misconfiguration “Client Certificate Authentication Should Not Be Used For Users” for GCP using GCP CLI, you can follow the below steps:

Open the Google Cloud Console and select the project in which you want to make the changes.
Open the Cloud Shell by clicking on the icon on the top right corner of the console.
In the Cloud Shell, run the following command to disable client certificate authentication:

gcloud alpha container hub config set --user-authentication-mode=NONE

Verify that the authentication mode has been changed by running the following command:

gcloud alpha container hub config describe

This command will display the current configuration of the Google Kubernetes Engine (GKE) hub.

Ensure that the authentication mode is set to “NONE” for user authentication.

By following these steps, you can remediate the misconfiguration “Client Certificate Authentication Should Not Be Used For Users” for GCP using GCP CLI.

Using Python

To remediate the misconfiguration “Client Certificate Authentication Should Not Be Used For Users” in GCP using Python, you can follow the below steps:

First, you need to check if client certificate authentication is enabled for any user in your GCP project. You can use the following Python code to check this:

from googleapiclient import discovery
from oauth2client.client import GoogleCredentials

credentials = GoogleCredentials.get_application_default()
service = discovery.build('iam', 'v1', credentials=credentials)

response = service.projects().getIamPolicy(resource=<your-project-id>).execute()

for binding in response['bindings']:
    if 'members' in binding:
        for member in binding['members']:
            if member.startswith('clientCertificate:'):
                print(f'Client certificate authentication is enabled for user: {member}')

If the above code returns any user who has client certificate authentication enabled, you need to disable it. You can use the following Python code to disable client certificate authentication for a user:

from googleapiclient import discovery
from oauth2client.client import GoogleCredentials

credentials = GoogleCredentials.get_application_default()
service = discovery.build('iam', 'v1', credentials=credentials)

member = 'clientCertificate:<user-email>'
policy = {
    'bindings': [
        {
            'role': '<role>',
            'members': [member],
            'condition': {
                'title': 'deny-client-certificate',
                'expression': 'request.auth.cert_subject_dn != "<client-certificate-dn>"'
            }
        }
    ]
}

response = service.projects().setIamPolicy(resource=<your-project-id>, body={'policy': policy}).execute()

Replace <user-email> with the email address of the user for whom you want to disable client certificate authentication. Replace <role> with the role assigned to the user. Replace <client-certificate-dn> with the distinguished name of the client certificate that the user is using for authentication.

Run the above code to disable client certificate authentication for the user.
Verify that client certificate authentication is disabled for the user by running the first code snippet again. If it returns no user, then the remediation is successful.

Note: Make sure you have the required permissions to modify IAM policies in your GCP project.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

K8s client certificate authentication remediation

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​Triage and Remediation

​Remediation

Triage and Remediation

Remediation