CKV_GCP_13 false positive: fails when client_certificate_config is omitted, even though provider default is the desired value

[grodr]

Describe the issue

CKV_GCP_13 (Ensure client certificate authentication to Kubernetes Engine Clusters is disabled) fails on any google_container_cluster resource that does not explicitly declare master_auth.client_certificate_config.issue_client_certificate = false.

This is a false positive: the google provider defaults issue_client_certificate to false, which is exactly the desired state the check is enforcing. Modern GKE clusters that omit the master_auth block entirely have client certificate authentication disabled at the API level . The field has defaulted to false since GKE 1.12, when client-cert auth was deprecated. GKE 1.12 and all earlier versions are long out of support, so no currently-creatable GKE cluster issues client certificates by default.

The result: the check punishes the safer pattern (rely on the secure provider default) and rewards the noisier pattern (declare an empty master_auth block just to satisfy the scanner).

Examples

Both clusters below have client certificate auth disabled at the GKE API level. Only the second one passes CKV_GCP_13.

# FAILS CKV_GCP_13 — but client cert auth is disabled at the API level
resource "google_container_cluster" "implicit" {
  name     = "implicit"
  location = "us-central1"
}

# PASSES CKV_GCP_13
resource "google_container_cluster" "explicit" {
  name     = "explicit"
  location = "us-central1"

  master_auth {
    client_certificate_config {
      issue_client_certificate = false
    }
  }
}

$ checkov -d . --check CKV_GCP_13 --framework terraform --quiet --compact
Check: CKV_GCP_13: "Ensure client certificate authentication to Kubernetes Engine Clusters is disabled"
        FAILED for resource: google_container_cluster.implicit
        PASSED for resource: google_container_cluster.explicit

Version

checkov 3.x (current main, file SHA fa1ee855).

Root cause

checkov/terraform/checks/resource/gcp/GKEClientCertificateDisabled.py extends BaseResourceValueCheck without setting missing_block_result, which defaults to CheckResult.FAILED. So an unset key is treated as a
failure rather than as the provider default.

Suggested fix

Pass missing_block_result=CheckResult.PASSED to the parent constructor:

from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck


class GKEClientCertificateDisabled(BaseResourceValueCheck):
    def __init__(self):
        super().__init__(
            name="Ensure client certificate authentication to Kubernetes Engine Clusters is disabled",
            id="CKV_GCP_13",
            categories=[CheckCategories.KUBERNETES],
            supported_resources=["google_container_cluster"],
            missing_block_result=CheckResult.PASSED,
        )

    def get_inspected_key(self):
        return "master_auth/[0]/client_certificate_config/[0]/issue_client_certificate/[0]"

    def get_expected_value(self):
        return False

This preserves the existing failure mode when issue_client_certificate = true is explicitly set, while treating omission as a pass (matching the provider default).

References

• GKE API field reference:
  https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters#masterauth
  (clientCertificateConfig.issueClientCertificate defaults to false)
• google provider docs:
  https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#issue_client_certificate
• GKE 1.12 release notes — client cert auth disabled by default since Nov 2018; GKE 1.12 and all earlier versions are long out of support (GKE supports roughly the last four minor versions), so no currently-creatable GKE cluster issues client certificates by default: https://cloud.google.com/kubernetes-engine/docs/release-notes#november_28_2018