Logo of Trend Micro

Disable Basic Authentication for ACK Clusters

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: AlibabaCloud-ACK-006

Ensure that basic authentication is disabled for your ACK clusters in order to enhance cluster security and meet regulatory compliance requirements.

Security

Basic authentication allows a user to authenticate to the ACK cluster using a username and password, which is stored in plain text without encryption. The basic authentication credentials are not rotated, and changing the password requires restarting the Kubernetes API server. By disabling basic authentication you can protect your ACK clusters against malicious activities such as brute-force attacks. Instead of employing basic authentication with common credentials (i.e. username and password), you can use client certificates. A client certificate is a public certificate encoded in base64, utilized by clients for authentication at the cluster endpoint. In an ACK cluster, the system automatically generates a client certificate for each logging user.

Audit

To determine if basic authentication is disabled for ACK clusters, perform the following operations:

Getting API server authentication configuration information via Alibaba Cloud CLI (aliyun) is not currently supported.

Using Command Line

01 Run the following command on your ACK cluster master node to search for the --basic-auth-file parameter. If the --basic-auth-file argument is present in the apiserver manifest, basic authentication is enabled for the selected ACK cluster. 

sudo cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep basic-auth-file

02 Repeat step no. 1 for each master node provisioned in your Container Service for Kubernetes (ACK) cluster.

03 Repeat steps no. 1 and 2 for each ACK cluster available in your Alibaba Cloud account.

Remediation / Resolution

To disable API server basic authentication for your ACK clusters, perform the following operations:

Disabling basic authentication via Alibaba Cloud CLI (aliyun) is not currently supported.

Using Command Line

01 Edit the API server manifest file available on your cluster master node, i.e. /etc/kubernetes/manifests/kube-apiserver.yaml, remove the --basic-auth-file parameter, save the changes, and restart the API server.

02 Repeat step no. 1 for each master node available within your Container Service for Kubernetes (ACK) cluster.

03 Repeat steps no. 1 and 2 for each ACK cluster available in your Alibaba Cloud account.

References

Publication date Feb 21, 2024

Related AlibabaCloud-ACK rules