Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable GKE Metadata Server

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that GKE Metadata Server is enabled for your Google Kubernetes Engine (GKE) cluster nodes in order to enhance security by restricting workload access to sensitive instance information. The GKE Metadata Server feature requires Workload Identity for improved authentication and authorization.

Security

Every Google Kubernetes Engine (GKE) cluster node maintains a metadata server that stores critical information. Some of this data, including sensitive credentials like kubelet credentials and VM instance identity tokens, should remain inaccessible to Kubernetes workloads. Enabling the GKE Metadata Server feature safeguards this sensitive information by preventing pods (not running on the host network) from accessing it. Additionally, it lays the groundwork for Workload Identity, a mechanism that allows pods to assume specific service account roles without relying on traditional service accounts. This streamlined approach enhances security and simplifies authentication, contributing to overall cluster efficiency and security. When the feature is disabled, the GKE cluster node defaults to a less secure configuration, granting running pods unrestricted access to the node's underlying metadata server.

Audit

To determine if GKE Metadata Server is enabled for your Google Kubernetes Engine (GKE) cluster nodes, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

04 In the left navigation panel, under Resource Management, choose Clusters and select the OVERVIEW tab to access the list of GKE clusters provisioned for the selected GCP project.

05 Click on the name (link) of the GKE cluster that you want to examine.

06 Select the NODES tab to access the node pools created for the selected cluster.

07 Click on the name (link) of the GKE cluster node pool that you want to examine.

08 In the Security section, inspect the GKE Metadata Server setting status. If the GKE Metadata Server setting checkbox is unchecked, the GKE Metadata Server feature is not enabled for the nodes running within the selected Google Kubernetes Engine (GKE) cluster node pool.

09 Repeat steps no. 7 and 8 for each node pool provisioned for the selected GKE cluster.

10 Repeat steps no. 5 – 9 for each GKE cluster provisioned within the selected GCP project.

11 Repeat steps no. 2 – 10 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each GCP project available in your Google Cloud account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDS: 

PROJECT_ID
cc-web-project-123123
cc-dev-project-112233

03 Run container clusters list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the name and the region of each GKE cluster provisioned for the selected project: 

gcloud container clusters list
	--project cc-web-project-123123
	--format="table(NAME,ZONE)"

04 The command output should return the requested cluster names and their regions: 

NAME: cc-gke-backend-cluster
ZONE: us-central1

NAME: cc-gke-frontend-cluster
ZONE: us-central1

05 Run container node-pools list command (Windows/macOS/Linux) with the name of the GKE cluster that you want to examine as the identifier parameter, to describe the name of each node pool provisioned for the selected cluster: 

gcloud container node-pools list
	--cluster=cc-gke-backend-cluster
	--region=us-central1
	--format="(NAME)"

06 The command output should return the requested GKE node pool names: 

NAME:
cc-gke-backend-pool-001
cc-gke-backend-pool-002
cc-gke-backend-pool-003

07 Run container node-pools describe command (Windows/macOS/Linux) with the name of the cluster node pool that you want to examine as the identifier parameter and custom output filters to determine if the GKE Metadata Server feature is enabled for the selected node pool: 

gcloud container node-pools describe cc-gke-backend-pool-001
	--cluster=cc-gke-backend-cluster
	--region=us-central1
	--format="value(config.workloadMetadataConfig)"

08 The command output should indicate the workload metadata mode configured for the nodes in the selected GKE node pool. The workload metadata mode determines how metadata is exposed to workloads running on the nodes. If mode is set to GCE_METADATA, all metadata is exposed to pods. If mode is set to GKE_METADATA, the GKE Metadata Server restricts pod access to metadata and facilitates Workload Identity: 

mode=GCE_METADATA

If the container node-pools describe command output returns mode=GCE_METADATA, as shown in the example above, the GKE Metadata Server feature is not enabled for the nodes running within the selected Google Kubernetes Engine (GKE) cluster node pool.

09 Repeat step no. 7 and 8 for each node pool provisioned for the selected GKE cluster.

10 Repeat steps no. 5 - 9 for each GKE cluster provisioned for the selected GCP project.

11 Repeat steps no. 3 – 10 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable the GKE Metadata Server feature for your Google Kubernetes Engine (GKE) clusters, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

04 In the left navigation panel, under Resource Management, choose Clusters and select the OVERVIEW tab to access the list of GKE clusters deployed for the selected GCP project.

05 Click on the name (link) of the GKE cluster that you want to configure.

06 GKE Metadata Server requires Workload Identity to be enabled on your GKE cluster. To enable and configure Workload Identity, follow the steps outlined on this page.

07 Select the NODES tab to access the node pools created for the selected cluster.

08 Click on the name (link) of the GKE cluster node pool that you want to configure and choose EDIT.

09 In the Security section, check the Enable GKE Metadata Server setting checkbox to enable GKE Metadata Server for the selected Google Kubernetes Engine (GKE) cluster node pool. Choose SAVE to apply the changes.

10 Repeat steps no. 8 and 9 to enable GKE Metadata Server for other node pools provisioned within the selected GKE cluster.

11 Repeat steps no. 5 – 10 for each GKE cluster that you want to configure, created for the selected GCP project.

12 Repeat steps no. 2 – 11 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 GKE Metadata Server requires Workload Identity to be enabled on your GKE cluster. To enable and configure Workload Identity, follow the steps outlined on this page.

02 Run container clusters update command (Windows/macOS/Linux) with the name of the Google Kubernetes Engine (GKE) cluster node pool that you want to configure as the identifier parameter, to enable the GKE Metadata Server feature for the selected GKE cluster node pool: 

gcloud container node-pools update cc-gke-backend-pool-001
	--region=us-central1
	--cluster=cc-gke-backend-cluster
	--workload-metadata-from-node=GKE_METADATA

03 The command output should return the full URL of the modified GKE node pool: 

Updating node pool cc-gke-backend-pool-001... done.
Updated [https://container.googleapis.com/v1/projects/cc-web-project-123123/zones/us-central1/clusters/cc-gke-backend-cluster/nodePools/cc-gke-backend-pool-001].

04 Repeat steps no. 1 - 3 to enable GKE Metadata Server for other node pools provisioned for the selected GKE cluster.

05 Repeat steps no. 1 - 4 for each GKE cluster that you want to configure, available within the selected GCP project.

06 Repeat steps no. 1 – 5 for each GCP project deployed in your Google Cloud account.

References

Publication date Dec 2, 2024

Related GKE rules