HIGH
Source
Trivy
ID
AVD-GCP-0057

Node metadata value disables metadata concealment.

In provider versions prior to 4: The attribute workload_metadata_config.node_metadata configures how node metadata is exposed to workloads. It should be set to SECURE to limit metadata exposure, or GKE_METADATA_SERVER if Workload Identity is enabled.

Starting with provider version 4: The attribute node_metadata has been removed. Instead, workload_metadata_configuration.mode controls node metadata exposure. When Workload Identity is enabled, it should be set to GKE_METADATA to prevent unnecessary exposure of the metadata API to workloads.

Impact

Follow the appropriate remediation steps below to resolve the issue.

Set mode to GKE_METADATA

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
resource "google_container_cluster" "primary" {
  name     = "my-gke-cluster"
  location = "us-central1"

  remove_default_node_pool = true
  initial_node_count       = 1
}

resource "google_container_node_pool" "good_example" {
  cluster = google_container_cluster.primary.id
  node_config {
    workload_metadata_config {
      mode = "GKE_METADATA"
    }
  }
}