Ensure the GKE metadata server is enabled

Error: The GKE metadata server is disabled

Bridgecrew Policy ID: BC_GCP_KUBERNETES_23
Checkov Check ID: CKV_GCP_69
Severity: LOW

The GKE metadata server is disabled

Description

Running the GKE Metadata Server prevents workloads from accessing sensitive instance metadata and facilitates Workload Identity.

Every node stores its metadata on a metadata server. Some of this metadata, such as kubelet credentials and the VM instance identity token, is sensitive and should not be exposed to a Kubernetes workload. Enabling the GKE Metadata server prevents pods (that are not running on the host network) from accessing this metadata and facilitates Workload Identity.

When unspecified, the default setting allows running pods to have full access to the node's underlying metadata server.

Fix - Buildtime

Terraform

  • Resource: google_container_cluster / google_container_node_pool
  • Argument: node_config.workload_metadata_config.node_metadata
resource "google_container_cluster" "example" {
  name               = var.name
  location           = var.location
  initial_node_count = 1
  project            = data.google_project.project.name

+ node_config {
+   workload_metadata_config {
+     mode = "GKE_METADATA"
+   }
+ }
  
}