Client certificate authentication not set up properly

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Client certificate authentication not set up properly

Metadata

Id: e0e00aba-5f1c-4981-a542-9a9563c0ee20

Cloud Provider: k8s

Framework: Kubernetes

Severity: High

Category: Access Control

Learn More

Provider Reference

Description

Client certificate authentication should be set up with a .pem or .crt file.

Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: foo/bar
      command: ["kubelet"]
      args: ["--client-ca-file=/var/lib/ca.pem"]
  restartPolicy: OnFailure

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver"]
      args: ["--client-ca-file=/var/lib/ca.crt"]
  restartPolicy: OnFailure

apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
address: "192.168.0.8"
port: 20250
protectKernelDefaults: false
serializeImagePulls: false
authentication:
  anonymous:
    enabled: false
  webhook:
    enabled: true
  x509:
    clientCAFile: "/var/lib/kubernetes/ca.crt"
authorization:
evictionHard:
    memory.available:  "200Mi"

Non-Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver"]
      args: ["--client-ca-file=/var/lib/ca.txt"]
  restartPolicy: OnFailure

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver"]
      args: []
  restartPolicy: OnFailure

apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
address: "192.168.0.8"
port: 20250
protectKernelDefaults: false
serializeImagePulls: false
authentication:
  anonymous:
    enabled: false
  webhook:
    enabled: true
  x509:
    clientCAFile: "/var/lib/kubernetes/ca.txt"
authorization:
evictionHard:
    memory.available:  "200Mi"