Client Certificate Authentication Not Setup Properly
- Query id: e0e00aba-5f1c-4981-a542-9a9563c0ee20
- Query name: Client Certificate Authentication Not Setup Properly
- Platform: Kubernetes
- Severity: High
- Category: Access Control
- CWE: 1390
- URL: Github
Description¶
Client Certificate Authentication should be Setup with a .pem or .crt file
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: foo/bar
command: ["kubelet"]
args: ["--client-ca-file=/var/lib/ca.txt"]
restartPolicy: OnFailure
Positive test num. 2 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
command: ["kube-apiserver"]
args: ["--client-ca-file=/var/lib/ca.txt"]
restartPolicy: OnFailure
Positive test num. 3 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
command: ["kube-apiserver"]
args: []
restartPolicy: OnFailure
Positive test num. 4 - yaml file
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
address: "192.168.0.8"
port: 20250
protectKernelDefaults: false
serializeImagePulls: false
authentication:
anonymous:
enabled: false
webhook:
enabled: true
x509:
clientCAFile: "/var/lib/kubernetes/ca.txt"
authorization:
evictionHard:
memory.available: "200Mi"
Positive test num. 5 - yaml file
Positive test num. 6 - yaml file
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: foo/bar
command: ["kubelet"]
args: ["--client-ca-file=/var/lib/ca.pem"]
restartPolicy: OnFailure
Negative test num. 2 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: foo/bar
command: ["kubelet"]
args: []
restartPolicy: OnFailure
Negative test num. 3 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
command: ["kube-apiserver"]
args: ["--client-ca-file=/var/lib/ca.pem"]
restartPolicy: OnFailure
Negative test num. 4 - yaml file
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
address: "192.168.0.8"
port: 20250
protectKernelDefaults: false
serializeImagePulls: false
authentication:
anonymous:
enabled: false
webhook:
enabled: true
x509:
clientCAFile: "/var/lib/kubernetes/ca.pem"
authorization:
evictionHard:
memory.available: "200Mi"
Negative test num. 5 - json file
{
"kind": "KubeletConfiguration",
"apiVersion": "kubelet.config.k8s.io/v1beta1",
"port": 10250,
"readOnlyPort": 10255,
"cgroupDriver": "cgroupfs",
"hairpinMode": "promiscuous-bridge",
"serializeImagePulls": false,
"authentication":{
"anonymous":{
"enabled": false
},
"webhook":{
"enabled": true
},
"x509":{
"clientCAFile":"/var/lib/kubernetes/ca.pem"
}
},
"featureGates": {
"RotateKubeletClientCertificate": true,
"RotateKubeletServerCertificate": true
}
}
Negative test num. 6 - yaml file
Negative test num. 7 - yaml file
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
address: "192.168.0.8"
port: 20250
protectKernelDefaults: false
serializeImagePulls: false
authentication:
anonymous:
enabled: false
webhook:
enabled: true
x509:
clientCAFile: "/var/lib/kubernetes/ca.crt"
authorization:
evictionHard:
memory.available: "200Mi"