Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use Shielded GKE Cluster Nodes

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Google Kubernetes Engine (GKE) cluster pool nodes are shielded in order to provide strong cryptographic identity. This limits the ability of an attacker to impersonate a node in your GKE cluster even if the attacker is able to extract the node credentials.

Security

When your GKE cluster pool nodes are not shielded, an attacker can exploit a vulnerability in a Kubernetes Pod to exfiltrate bootstrap credentials and impersonate nodes in your cluster, giving the attacker access to your cluster secrets. When your GKE cluster nodes are shielded, the master node uses a cryptographic check to verify that every node within your cluster is a virtual machine instance running in a Google Cloud data center.

Audit

To determine if your Google Kubernetes Engine (GKE) cluster nodes are shielded, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Google Kubernetes Engine (GKE) console at https://console.cloud.google.com/kubernetes.

04 In the navigation panel, select Clusters to access the list of the GKE clusters deployed within the selected project.

05 Click on the name of the GKE cluster that you want to examine.

06 Select the Details tab to access the cluster configuration information, and check the Shielded GKE Nodes configuration attribute value. If the Shielded GKE Nodes value is set to Disabled, the nodes provisioned for the selected Google Kubernetes Engine (GKE) cluster are not shielded against attackers.

07 Repeat step no. 5 and 6 for each GKE cluster created for the selected Google Cloud project.

08 Repeat steps no. 2 – 7 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your cloud account: 

gcloud projects list
    --format="table(projectId)"

02 The command output should return the requested GCP project identifiers: 

PROJECT_ID
cc-bigdata-project-123123
cc-sap-app-project-112233

03 Run container clusters list command (Windows/macOS/Linux) using custom query filters to describe the name and the zone of each GKE cluster provisioned for the selected Google Cloud project: 

gcloud container clusters list
    --project cc-bigdata-project-123123
    --format="(NAME,LOCATION)"

04 The command output should return the requested GKE cluster names and their zones: 

NAME                     LOCATION
cc-gke-backend-cluster   us-central1-c
cc-gke-frontend-cluster  us-central1-c

05 Run container clusters describe command (Windows/macOS/Linux) using the name of the Google Cloud GKE cluster that you want to examine as identifier parameter and custom query filters to describe the Shielded GKE Nodes feature status, available for the selected cluster: 

gcloud container clusters describe cc-gke-backend-cluster
    --zone=us-central1-c
    --format="yaml(shieldedNodes)"

06 The command output should return the requested feature status: 

shieldedNodes: {}

If the container clusters describe command output returns an empty object for the shieldedNodes configuration attribute, as shown in the example above, the nodes running within the selected Google Kubernetes Engine (GKE) cluster are not shielded against attackers.

07 Repeat step no. 5 and 6 for each GKE cluster available within the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable Shielded GKE Nodes security feature for your existing Google Kubernetes Engine (GKE) clusters, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Google Kubernetes Engine (GKE) console at https://console.cloud.google.com/kubernetes.

04 In the navigation panel, select Clusters to access the list of the GKE clusters created for the selected project.

05 Click on the name of the GKE cluster that you want to reconfigure, then click on the EDIT button from the console top menu to enter the cluster edit mode.

06 On the selected cluster configuration page, select Enabled from the Shielded GKE Nodes dropdown list to enable the Shielded GKE Nodes feature for the selected cluster. IMPORTANT: Enabling this security feature will drain, delete, and re-create all nodes available in all node pools created for the selected cluster. This process may take a lot of time, depending on cluster size, usage, and the configured maintenance window. During the operation:

  • Cluster workloads might be temporarily unavailable.
  • Some cluster configuration changes will not be available.
  • Temporary storage volumes are deleted.
  • Persistent disks remain unaffected.
  • And only the Kubernetes Pods managed by controllers are automatically re-created.

07 Click Save to apply the configuration changes.

08 Repeat steps no. 5 – 7 to enable Shielded GKE Nodes feature for other GKE clusters available within the selected project.

09 Repeat steps no. 2 – 8 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run container clusters update command (Windows/macOS/Linux) using the name of the Google Cloud GKE cluster that you want to reconfigure as identifier parameter, to enable the Shielded GKE Nodes security feature for the selected cluster: IMPORTANT: Enabling this security feature will drain, delete, and re-create all nodes available in all node pools created for the selected cluster. This process may take a lot of time, depending on cluster size, usage, and the configured maintenance window. During the operation:

  • Cluster workloads might be temporarily unavailable.
  • Some cluster configuration changes will not be available.
  • Temporary storage volumes are deleted.
  • Persistent disks remain unaffected.
  • And only the Kubernetes Pods managed by controllers are automatically re-created. 
gcloud container clusters update cc-gke-backend-cluster
    --zone=us-central1-c
    --enable-shielded-nodes

02 The command output should return the URL of the reconfigured GKE cluster: 

Updating cc-gke-backend-cluster...done.
Updated [https://container.googleapis.com/v1/projects/cc-bigdata-project-123123/zones/us-central1-c/clusters/cc-gke-backend-cluster].

03 Repeat step no. 1 and 2 to enable Shielded GKE Nodes feature for other GKE clusters provisioned for the selected GCP project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date May 10, 2021

Related GKE rules