Basic auth is deprecated: https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster
I'm authing like this (same as the docs: https://www.terraform.io/docs/providers/google/d/client_config.html):
data "google_client_config" "default" {
}
data "google_container_cluster" "my_cluster" {
name = "my-cluster"
zone = "us-east1-a"
}
provider "kubernetes" {
load_config_file = false
host = "https://${data.google_container_cluster.my_cluster.endpoint}"
token = data.google_client_config.default.access_token
cluster_ca_certificate = base64decode(
data.google_container_cluster.my_cluster.master_auth[0].cluster_ca_certificate,
)
}
The doc says:
CIS GKE Benchmark Recommendations: 6.8.1. Ensure Basic Authentication using static passwords is Disabled and 6.8.2. Ensure authentication using Client Certificates is Disabled
is cluster_ca_certificate using "Client Certificates" or is it different? I want to make sure what I'm doing (the tf snippet above) is going to continue to be supported by GKE but I'm unclear on how this is actually working right now.
Perhaps I'm already doing it the right, non-deprecated way?
Without being an expert in K8S, I would say that
Is your authentication token to access to GKE APIs
The certificate that you load is the server certificate to enforce TLS communication with the master. Not the authentication, only the TLS over HTTP encryption.