Ensure legacy client certificate authentication is disabled on Kubernetes Engine Clusters

Using Command Line

For new clusters, do not issue a legacy GKE client certificate:

gcloud container clusters create [CLUSTER_NAME]   --location [LOCATION]   --no-issue-client-certificate

Validate whether a cluster still has a legacy client certificate configured:

gcloud container clusters describe [CLUSTER_NAME]   --location [LOCATION]   --format='yaml(masterAuth)'

Important limitation

Google documents that you cannot remove an already issued legacy client certificate from an existing cluster in place. For existing clusters, the practical remediation is to stop using certificate-based authentication, ensure RBAC and IAM-based access are in place, and replace or rebuild the cluster if your standard requires certificates to be fully absent.

Better platform fix

Use IAM credentials and the DNS-based endpoint for operator access. Only enable Kubernetes credentials such as client certificates when there is a clear technical requirement and compensating controls.

References

1. https://cloud.google.com/kubernetes-engine/docs/how-to/api-server-authentication
2. https://cloud.google.com/kubernetes-engine/docs/concepts/network-isolation

Service-wide remediation

Recommended when many resources are affected: stop issuing legacy client certificates in your cluster creation baseline and move operators to IAM-backed administration.

Update cluster templates, platform pipelines, and runbooks so new clusters are created without legacy client certificates.

Operational rollout

1. Identify whether any operators, CI jobs, or tools still rely on client-certificate authentication.
2. Move those users to IAM-backed access first.
3. For clusters that must be fully free of legacy certificates, rebuild or replace them under the new baseline.