Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Compliance > Kubernetes > CIS - GKE 1.2.0 > Managed Services >

Node Metadata

N/A
Source
Kube Bench
ID
5.4
Version
gke-1.2.0

5.4 Node Metadata

5.4.1 Ensure legacy Compute Engine instance metadata APIs are Disabled (Automated)

Using Command Line: To update an existing cluster, create a new Node pool with the legacy GCE metadata endpoint disabled:

gcloud container node-pools create [POOL_NAME] \
  --metadata disable-legacy-endpoints=true \
  --cluster [CLUSTER_NAME] \
  --zone [COMPUTE_ZONE]

You will need to migrate workloads from any existing non-conforming Node pools, to the new Node pool, then delete non-conforming Node pools to complete the remediation.

5.4.2 Ensure the GKE Metadata Server is Enabled (Automated)

Using Command Line: gcloud beta container clusters update [CLUSTER_NAME]
–identity-namespace=[PROJECT_ID].svc.id.goog Note that existing Node pools are unaffected. New Node pools default to –workload- metadata-from-node=GKE_METADATA_SERVER .

To modify an existing Node pool to enable GKE Metadata Server:

gcloud beta container node-pools update [NODEPOOL_NAME] \
  --cluster=[CLUSTER_NAME] \
  --workload-metadata-from-node=GKE_METADATA_SERVER

You may also need to modify workloads in order for them to use Workload Identity as described within https://cloud.google.com/kubernetes-engine/docs/how-to/workload- identity.

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use