Profile Applicability:

  • Level 1

Description:

Client certificate authentication for users involves using certificates to authenticate users to the Kubernetes API server. This method is less flexible and harder to manage compared to other authentication methods, such as OpenID Connect (OIDC) or IAM-based authentication. The recommendation is to avoid using client certificates for user authentication and instead rely on more modern and scalable methods that integrate better with identity providers and offer enhanced security.

Rationale:

While client certificate authentication provides security, it has several limitations in terms of scalability, management, and integration with centralized identity management systems. Using client certificates for user authentication can make it difficult to manage user access, especially in large or dynamic environments. Modern authentication methods like OIDC or IAM are more flexible and easier to manage, and they can integrate with existing identity management systems.

Impact:

Pros:

  • Using modern authentication methods simplifies management and improves scalability.

  • Reduces the complexity of maintaining certificates for each user.

  • Easier integration with enterprise identity providers (e.g., Active Directory, Google Identity, AWS IAM).

Cons:

  • If switching from client certificates, there may be a transition period where existing workflows need to be updated to use alternative authentication methods.

Default Value:

Client certificate authentication may be enabled by default, depending on how the cluster was configured.

Pre-requisites:

  • Modern authentication methods like OIDC, LDAP, or IAM should be configured.

  • Users should be migrated to a more scalable and manageable authentication method.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to your EKS Cluster.

  3. Go to the Kubernetes API server configuration.

  4. Verify that client certificate authentication is not enabled for user authentication and that a more modern authentication method (like OIDC or IAM) is used.

Using AWS CLI:

Run the following AWS CLI command to describe your EKS cluster's configuration:

aws eks describe-cluster --name <cluster-name> --query "cluster.config"

  1. Ensure that client certificate authentication is not listed as the authentication method for users.

Implementation Plan:

Using AWS Console:

  1. Navigate to the EKS cluster in the AWS Console.

  2. Under the Cluster Configuration section, review the authentication settings.

  3. Disable client certificate authentication for users and enable a more modern authentication method (e.g., OIDC, IAM).

  4. Save the configuration and apply the changes.

Using AWS CLI:

Update the authentication settings to disable client certificates and enable an alternative method:

aws eks update-cluster-config --name <cluster-name> --kubernetes-version <kubernetes-version> --enable-oidc-authentication

Backout Plan:

Using AWS Console:

  1. Navigate to the EKS cluster's API server configuration.

  2. If necessary, re-enable client certificate authentication and disable the alternative method.

  3. Save the configuration and redeploy the cluster.

Using AWS CLI:

If issues occur, revert the change by re-enabling client certificate authentication:

aws eks update-cluster-config --name <cluster-name> --kubernetes-version <kubernetes-version> --enable-client-certificate-authentication

References: