Ensure shielded GKE nodes are enabled

Error: Shielded GKE nodes are not enabled

Bridgecrew Policy ID: BC_GCP_KUBERNETES_24
Checkov Check ID: CKV_GCP_71
Severity: MEDIUM

Shielded GKE nodes are not enabled


Shielded GKE Nodes provides verifiable integrity via secure boot, virtual trusted platform module (vTPM)-enabled measured boot, and integrity monitoring.

Shielded GKE nodes protects clusters against boot- or kernel-level malware or rootkits which persist beyond infected OS.

Shielded GKE nodes run firmware which is signed and verified using Google's Certificate Authority, ensuring that the nodes' firmware is unmodified and establishing the root of trust for Secure Boot. GKE node identity is strongly protected via virtual Trusted Platform Module (vTPM) and verified remotely by the master node before the node joins the cluster. Lastly, GKE node integrity (i.e., boot sequence and kernel) is measured and can be monitored and verified remotely.

Fix - Buildtime


  • Resource: google_container_cluster
  • Argument: enable_shielded_nodes
resource "google_container_cluster" "success" {
  name               = var.name
  location           = var.location
  initial_node_count = 1
  project            = data.google_project.project.name

+ enable_shielded_nodes = true