no-legacy-authentication
Explanation
It is recommended to use Service Accounts and OAuth as authentication methods for accessing the master in the container cluster.
Basic authentication should be disabled by explicitly unsetting the username
and password
on the master_auth
block.
Possible Impact
Username and password authentication methods are less secure
Suggested Resolution
Use service account or OAuth for authentication
Insecure Example
The following example will fail the google-gke-no-legacy-authentication check.
resource "google_container_cluster" "bad_example" {
}
resource "google_container_cluster" "gke" {
master_auth {
username = ""
password = ""
client_certificate_config {
issue_client_certificate = true
}
}
}
Secure Example
The following example will pass the google-gke-no-legacy-authentication check.
resource "google_container_cluster" "good_example" {
master_auth {
username = ""
password = ""
}
}