Ensure shielded nodes are enabled for all nodes in Google Container Cluster

LOW

Description

Google Kubernetes Engine (GKE) has the capability only allow shielded nodes which can be used to protect workloads from attack. This is enabled by default but can be overridden. For more information on shielded nodes, see the GCP documentation.
References:
https://cloud.google.com/kubernetes-engine/docs/how-to/shielded-gke-nodes

Remediation

In GCP Console -

Open the GCP Portal and Go to the Google Kubernetes Engine (GKE).
Select the cluster you want to edit.
Click Nodes, Select the node pool.
Select the Enable Shielded GKE Nodes checkbox.
Click Save Changes.

In Terraform -

In the google_container_cluster resource, set the attribute enable_shielded_nodes attribute is set to true.

References:
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#http_load_balancing

Policy Details

Rule Reference ID: AC_GCP_0272

CSP: GCP

Remediation Available: Yes

Domain: Infrastructure Security

Resource: google_container_cluster

Resource Category: Compute

Resource Type: Google Kubernetes Engine (GKE)

Frameworks

GDPR
HIPAA
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1