no-legacy-authentication

Explanation

It is recommended to use Service Accounts and OAuth as authentication methods for accessing the master in the container cluster.

Basic authentication should be disabled by explicitly unsetting the username and password on the master_auth block.

Possible Impact

Username and password authentication methods are less secure

Suggested Resolution

Use service account or OAuth for authentication

Insecure Example

The following example will fail the google-gke-no-legacy-authentication check.

resource "google_container_cluster" "bad_example" {
}

resource "google_container_cluster" "gke" {
    master_auth {
        username = ""
        password = ""
        client_certificate_config {
            issue_client_certificate = true
        }
    }
}

Secure Example

The following example will pass the google-gke-no-legacy-authentication check.

resource "google_container_cluster" "good_example" {
    master_auth {
        username = ""
        password = ""
    }
}

Related Links

• https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#master_auth

• https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict_authn_methods