User authentication is implemented using secure methods other than client certificate authentication
Set up the kubernetes integration.
Description
Kubernetes provides the option to use client certificates for user authentication. However as there is no way to revoke these certificates when a user leaves an organization or loses their credential, they are not suitable for this purpose. It is not possible to fully disable client certificate use within a cluster as it is used for component to component authentication.
Rationale
With any authentication mechanism the ability to revoke credentials if they are compromised or no longer required, is a key control. Kubernetes client certificate authentication does not allow for this due to a lack of support for certificate revocation.
Audit
Review user access to the cluster and ensure that users are not making use of Kubernetes client certificate authentication.
Alternative mechanisms provided by Kubernetes, such as the use of OIDC, should be implemented in place of client certificates.
Impact
External mechanisms for authentication generally require additional software to be deployed.
Default value
Client certificate authentication is enabled by default.
Notes: The lack of certificate revocation was flagged up as a high risk issue in the recent Kubernetes security audit. Without this feature, client certificate authentication is not suitable for end users.
References
None
CIS controls
Version 7.14.8 Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.
