Ensure secure boot for shielded GKE nodes is enabled

Error: Secure boot for shielded GKE nodes is disabled

Bridgecrew Policy ID: BC_GCP_KUBERNETES_17
Checkov Check ID: CKV_GCP_68
Severity: MEDIUM

Secure boot for shielded GKE nodes is disabled

Description

Enable Secure Boot for Shielded GKE Nodes to verify the digital signature of node boot components.
An attacker may seek to alter boot components to persist malware or root kits during system initialization. Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails.

Fix - Buildtime

Terraform

  • Resource: google_container_cluster / google_container_node_pool
  • Argument: node_config.shielded_instance_config.enable_secure_boot
resource "google_container_cluster" "success" {
  name               = var.name
  
  ...
  node_config {
    workload_metadata_config {
      node_metadata = "GKE_METADATA_SERVER"
    }
    shielded_instance_config {
-     enable_secure_boot = false
    }
  }