Google Cloud Kubernetes Engine
  1. CNS Policies
  2. GCP Knowledge Base
  3. Google Cloud Kubernetes Engine

Legacy Authorization Enabled

Disable legacy authorization on all clusters.

Risk Level: Medium

Description

This plugin ensures that legacy authorization is set to disable on Kubernetes clusters. The Kubernetes legacy authorization feature allows you to use static passwords for authentication. Because these methods expose a larger surface of attack for cluster compromise, SentinelOne CNS strongly advises against using them.

About the Service

Google Cloud Kubernetes Engine:

The Google Cloud Kubernetes Engine is a Kubernetes-based service that includes a control plane, nodes that house pods, and Google Cloud services. It aids in the modernization of your programs by offering a platform for deploying, managing, and scaling containerized applications. The Google Cloud Console or kubectl can be used to interact with this Google Cloud Kubernetes Engine. To know more, read here

Impact

According to the CIS Kubernetes and Google Kubernetes Engine (GKE) Benchmarks, it is recommended to use Role-Based Access Control (RBAC) in GKE instead of Legacy Authorization or Attribute-Based Access Control (ABAC). Enabling legacy authorization for your clusters exposes them to attackers thus lowering the cluster's security. Because it grants them more than the required permissions, attackers can get access to sensitive information.

Steps to Reproduce

Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. From the navigation panel on the left side of the console, go to Kubernetes Engine and select Clusters. You can use this link here to navigate directly if you’re already logged in.
  4. Select the cluster you want to investigate from the list of clusters displayed.
  5. Under the Security section, check the status of Legacy authorisation. If it says enabled then Legacy authorisation is enabled for the selected cluster and SentinelOne CNS strongly recommends you to disable it.
  6. Repeat steps 4 and 5for all the clusters you want to investigate in the selected project.
  7. If you have multiple projects that you want to investigate, repeat steps 2 to 6 for each project in your GCP console.

Steps for Remediation

Determine whether or not you truly require the legacy authorisation to be enabled. If not, make the necessary changes to disable it using the steps given below.

Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. From the navigation panel on the left side of the console, go to Kubernetes Engine and select Clusters. You can use this link here to navigate directly if you’re already logged in.
  4. Select the cluster you want to reconfigure from the list of clusters displayed and go to the DETAILS tab of the selected cluster.  (In case you aren’t sure which node pool needs to be configured, follow the steps to reproduce listed above to determine which to choose.)
  5. Under the Security section,  click on the edit icon in the Legacy authorisation row to edit the configuration.

  6. In the Edit Legacy Authorisation pop-up box, uncheck the checkbox and click on SAVE CHANGES to save the edit.


  7. Repeat steps 4 to 6 for all the clusters you want to reconfigure in the selected project.
  8. If you have multiple projects, repeat steps 2 to 7 for each project in your GCP console.