Risk Level: High
Cloud Entity: Kubernetes Cluster
CloudGuard Rule ID: D9.GCP.IAM.08
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

GkeCluster should have isClientCertificateIssued=true

REMEDIATION

Note: Remediation is only possible by creation of a new cluster with Client certificate enable.
From Portal

Go to Kubernetes GCP Console by visiting https://console.cloud.google.com/kubernetes/list
Click on CREATE CLUSTER
Choose required name/value for cluster fields
Under 'CLUSTER' click on 'Security'
Set 'Issue a client certificate' to Selected
Click on Create

From TF
Set the 'issue_client_certificate' to be equal to 'true':

resource "google_container_cluster" "primary" {
	...
	master_auth {
		
		client_certificate_config {
			issue_client_certificate = true
		}
	}
	...
}

From Command Line
To add 'Issue a client certificate', run:

gcloud container clusters create YOUR_CLUSTER --machine-type=MACHINE_TYPE --issue-client-certificate --zone ZONE

References

Kubernetes Cluster

Kubernetes Engine is a managed, production-ready environment for deploying containerized applications. It brings our latest innovations in developer productivity, resource efficiency, automated operations, and open source flexibility to accelerate your time to market.

Launched in 2015, Kubernetes Engine builds on Google's experience of running services like Gmail and YouTube in containers for over 12 years. Kubernetes Engine allows you to get up and running with Kubernetes in no time, by completely eliminating the need to install, manage, and operate your own Kubernetes clusters.

Compliance Frameworks

CloudGuard GCP All Rules Ruleset
GCP CIS Foundations v. 1.0.0
GCP CloudGuard Best Practices
GCP MITRE ATT&CK Framework v12.1
GCP NIST 800-53 Rev 5